Hi Cris,
Il giorno ven, 15/02/2013 alle 12.36 -0500, Christopher Schultz ha
scritto:
[...]
> > Allow legacy hello messages: true [snip] http-192.168.1.55-8443-1,
> > READ: SSLv3 Handshake, length = 75 *** ClientHello, SSLv3
> > RandomCookie: GMT: 1360933724 bytes = { 203, 86, 168, 88, 75, 77,
> > 52, 134, 4, 76, 204, 78, 0, 160, 168, 123, 96, 78, 106, 23, 40, 47,
> > 219, 81, 28, 23, 174, 156 } Session ID: {} Cipher Suites:
> > [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, Unknown 0x0:0x3d, Unknown
> > 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA,
> > SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA,
> > SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x6b,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0x0:0x3b,
> > SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5] Compression Methods:
> > { 0 } ***
>
> So the client is doing an SSLv3 handshake. The message above about
> allowing legacy "hellos" seems like it should support a SSLv3
> handshake. Looking at the ciphers, your JVM (without BouncyCastle) and
> client truly have no overlap. I'm actually surprised that your JVM
> does not support any TLS_RSA_* or TLS_DHE_* ciphers. Can you re-run my
> cipher-dump program without BouncyCastle and provide the full output?
> I was a little unclear as to what you posted last time.
I listed all providers here:
http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html
as you may see, a few of them are TLS_RSA and TLS_DHE:
* TLS_RSA_WITH_AES_128_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_DSS_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
They are also listed as "default" ciphers, so -- if I understood what
default means -- they should not be enabled explicitly.
They overlap with those client ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Is there any possibility that some of those server ciphers are disabled
because of the algorithm used in the server certificate? Its signature
algorithm is SHA1withDSA. I created it with this command line:
keytool -genkeypair -alias tomcat -keystore ~tomcat6/.keystore
A side note: is it possibile to put tomcat behind a web server and make
the latter encrypt in SSL? This would imply that communication between
the web server and tomcat would be in clear, but how do I create the
connector proxy* information? I may specify proxyName and proxyPort, but
I cannot specify proxyProtocol. Is this right?
Bye,
Giuseppe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
