-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Giuseppe,
On 2/13/13 4:47 PM, Giuseppe Sacco wrote: > I have an application deployed on tomcat 6.0.35 and linux/amd64 > with a JSSE https connector. When I try to connect to this site > with default iPad browser, I always get an error message about the > connection cannot be established. > > Tomcat version is the one shipped with Debian, and uses jdk > 1.6.0_u39 with jce unrestricted policy. I also added bouncy castle > jar in $JAVA_HOME/jre/lib/ext and added its provider in > $JAVA_HOME/jre/lib/security/java.security as last in the provider > list. After restarting tomcat nothing changed. Did you add Bouncy Castle just to see if it would improve things? Or are you attempting to use Bouncy Castle as your provider? > I used the command line tool "ssldump" to check what happens and > it seems the problem is in the cipher suite used by iPad: none of > the ciphers is accepted by the server. > > This is what ssldump command show: > > New TCP connection #1: > host35-105-static.24-87-b.business.telecomitalia.it(59049) <-> > 192.168.1.55(8443) 1 1 0.0979 (0.0979) C>S Handshake > ClientHello Version 3.3 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_NULL_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 compression methods > NULL > > iPad does try a few times, changing the version number, but it > fails every time and eventually stop. > > When connecting using Chrome on the very same iPad, the connection > works. Wow, I had no idea that Google Chrome was available for iOS. Cool! > The relevant dump is: > > New TCP connection #1: > host35-105-static.24-87-b.business.telecomitalia.it(59049) <-> > 192.168.1.55(8443) 1 1 0.0979 (0.0979) C>S Handshake > ClientHello Version 3.3 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_NULL_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 compression methods > NULL > > Ths cipher accepted by the server is: > TLS_DHE_DSS_WITH_AES_128_CBC_SHA > > The connector I use is: > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" clientAuth="false" > sslProtocol="TLS" proxyName="www.my-visible-name.tld" > proxyPort="8443" address="192.168.1.55" /> It's traditional to specify a server key and certificate when configuring SSL. Where are yours configured? > So, my question: how to configure tomcat for accepting a broader > range of ciphers, or at least to accept even one of those used by > this browser? The default cipher suite depends upon your JVM, and is usually fairly inclusive. Here's a little program I wrote to find out what your JVM will support and what its default cipher suite will be: http://markmail.org/message/zn4namfhypyxum23 - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEdEv8ACgkQ9CaO5/Lv0PCfAgCeIBzGP27N+gbTDAiLRcHOCO5K T7UAoJSZnWMPmSUpZZIfcE0L9ROaE7UX =OIY1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
