Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Mark Eggers Sat, 04 Jan 2014 15:40:14 -0800

On 1/4/2014 1:18 PM, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Musassir,

On 1/4/14, 4:08 PM, Christopher Schultz wrote:

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:

Again, we have to submit this as a bug.....TLS 1.2 is not
working in Tomcat


Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
(essentially 1.2.29

tcnative$ make clean tcnative$ ./configure --with-apr=`which
apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
time make [...] make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real    0m14.790s user  0m15.300s sys   0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...] <Connector port="8218"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" secure="true" scheme="https"
SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
SSLCertificateChainFile="[...]" SSLProtocol="all"
executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]

tomcat$ bin/startup.sh

[...] Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
based Apache Tomcat Native library 1.1.30 using APR version 1.4.6.
Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218 [...] verify
error:num=19:self signed certificate in certificate chain [...]
SSL-Session: Protocol  : TLSv1.2 Cipher    :
DHE-RSA-AES256-GCM-SHA384 [...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol="all" is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from "all" to "TLSv1":

<Connector port="8218"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" secure="true" scheme="https"
SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
executor="tomcatThreadPool" URIEncoding="UTF-8" />

* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session:
Protocol  : TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AES(128) Mac=SHA256


Yup. Let's configure it in Tomcat:

<Connector port="8218"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" secure="true" scheme="https"
SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
SSLCertificateChainFile="[...]" SSLProtocol="TLSv1"
executor="tomcatThreadPool" URIEncoding="UTF-8" />


$ openssl s_client -connect myhost:8218 CONNECTED(00000003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218 CONNECTED(00000003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(00000003) 140680041133736:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(00000003) 139976873068200:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Firefox also fails with "ssl_error_no_cypher_overlap".

$ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
__|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2 http://www.titania.co.uk Copyright Ian
Ventura-Whiting 2009

Testing SSL server myhost on port 8218

Supported Server Cipher(s): Failed    SSLv3  256 bits
ECDHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
ECDHE-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
ECDHE-RSA-AES256-SHA384 Failed    SSLv3  256 bits
ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
SRP-RSA-AES-256-CBC-SHA Failed    SSLv3  256 bits
DHE-DSS-AES256-GCM-SHA384 Failed    SSLv3  256 bits
DHE-RSA-AES256-GCM-SHA384 Failed    SSLv3  256 bits
DHE-RSA-AES256-SHA256 Failed    SSLv3  256 bits
DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  SSLv3
256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  SSLv3  256 bits
AECDH-AES256-SHA Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
Failed    SSLv3  256 bits  ADH-AES256-GCM-SHA384 Failed    SSLv3
256 bits  ADH-AES256-SHA256 Rejected  SSLv3  256 bits
ADH-AES256-SHA Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
Failed    SSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    SSLv3  256
bits  ECDH-RSA-AES256-SHA384 Failed    SSLv3  256 bits
ECDH-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
ECDH-RSA-AES256-SHA Rejected  SSLv3  256 bits
ECDH-ECDSA-AES256-SHA Failed    SSLv3  256 bits  AES256-GCM-SHA384
Failed    SSLv3  256 bits  AES256-SHA256 Rejected  SSLv3  256 bits
AES256-SHA Rejected  SSLv3  256 bits  CAMELLIA256-SHA Failed
SSLv3  256 bits  PSK-AES256-CBC-SHA Rejected  SSLv3  168 bits
ECDHE-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
ECDHE-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
SRP-DSS-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
SRP-RSA-3DES-EDE-CBC-SHA Rejected  SSLv3  168 bits
EDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
EDH-DSS-DES-CBC3-SHA Rejected  SSLv3  168 bits  AECDH-DES-CBC3-SHA
Rejected  SSLv3  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  SSLv3
168 bits  ADH-DES-CBC3-SHA Rejected  SSLv3  168 bits
ECDH-RSA-DES-CBC3-SHA Rejected  SSLv3  168 bits
ECDH-ECDSA-DES-CBC3-SHA Rejected  SSLv3  168 bits  DES-CBC3-SHA
Failed    SSLv3  168 bits  PSK-3DES-EDE-CBC-SHA Failed    SSLv3
128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
ECDHE-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
ECDHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
ECDHE-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
ECDHE-RSA-AES128-SHA Rejected  SSLv3  128 bits
ECDHE-ECDSA-AES128-SHA Rejected  SSLv3  128 bits
SRP-DSS-AES-128-CBC-SHA Rejected  SSLv3  128 bits
SRP-RSA-AES-128-CBC-SHA Failed    SSLv3  128 bits
DHE-DSS-AES128-GCM-SHA256 Failed    SSLv3  128 bits
DHE-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
DHE-RSA-AES128-SHA256 Failed    SSLv3  128 bits
DHE-DSS-AES128-SHA256 Rejected  SSLv3  128 bits
DHE-RSA-AES128-SHA Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
Rejected  SSLv3  128 bits  DHE-RSA-SEED-SHA Rejected  SSLv3  128
bits  DHE-DSS-SEED-SHA Rejected  SSLv3  128 bits
DHE-RSA-CAMELLIA128-SHA Rejected  SSLv3  128 bits
DHE-DSS-CAMELLIA128-SHA Rejected  SSLv3  128 bits
AECDH-AES128-SHA Rejected  SSLv3  128 bits  SRP-AES-128-CBC-SHA
Failed    SSLv3  128 bits  ADH-AES128-GCM-SHA256 Failed    SSLv3
128 bits  ADH-AES128-SHA256 Rejected  SSLv3  128 bits
ADH-AES128-SHA Rejected  SSLv3  128 bits  ADH-SEED-SHA Rejected
SSLv3  128 bits  ADH-CAMELLIA128-SHA Failed    SSLv3  128 bits
ECDH-RSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
ECDH-ECDSA-AES128-GCM-SHA256 Failed    SSLv3  128 bits
ECDH-RSA-AES128-SHA256 Failed    SSLv3  128 bits
ECDH-ECDSA-AES128-SHA256 Rejected  SSLv3  128 bits
ECDH-RSA-AES128-SHA Rejected  SSLv3  128 bits
ECDH-ECDSA-AES128-SHA Failed    SSLv3  128 bits  AES128-GCM-SHA256
Failed    SSLv3  128 bits  AES128-SHA256 Rejected  SSLv3  128 bits
AES128-SHA Rejected  SSLv3  128 bits  SEED-SHA Rejected  SSLv3  128
bits  CAMELLIA128-SHA Failed    SSLv3  128 bits
PSK-AES128-CBC-SHA Rejected  SSLv3  128 bits  ECDHE-RSA-RC4-SHA
Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  SSLv3  128
bits  AECDH-RC4-SHA Rejected  SSLv3  128 bits  ADH-RC4-MD5 Rejected
SSLv3  128 bits  ECDH-RSA-RC4-SHA Rejected  SSLv3  128 bits
ECDH-ECDSA-RC4-SHA Rejected  SSLv3  128 bits  RC4-SHA Rejected
SSLv3  128 bits  RC4-MD5 Failed    SSLv3  128 bits  PSK-RC4-SHA
Rejected  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA Rejected  SSLv3  56
bits   EDH-DSS-DES-CBC-SHA Rejected  SSLv3  56 bits
ADH-DES-CBC-SHA Rejected  SSLv3  56 bits   DES-CBC-SHA Rejected
SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  SSLv3  40 bits
EXP-EDH-DSS-DES-CBC-SHA Rejected  SSLv3  40 bits
EXP-ADH-DES-CBC-SHA Rejected  SSLv3  40 bits   EXP-DES-CBC-SHA
Rejected  SSLv3  40 bits   EXP-RC2-CBC-MD5 Rejected  SSLv3  40 bits
EXP-ADH-RC4-MD5 Rejected  SSLv3  40 bits   EXP-RC4-MD5 Rejected
SSLv3  0 bits    ECDHE-RSA-NULL-SHA Rejected  SSLv3  0 bits
ECDHE-ECDSA-NULL-SHA Rejected  SSLv3  0 bits    AECDH-NULL-SHA
Rejected  SSLv3  0 bits    ECDH-RSA-NULL-SHA Rejected  SSLv3  0
bits    ECDH-ECDSA-NULL-SHA Failed    SSLv3  0 bits    NULL-SHA256
Rejected  SSLv3  0 bits    NULL-SHA Rejected  SSLv3  0 bits
NULL-MD5 Failed    TLSv1  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Failed
TLSv1  256 bits  ECDHE-RSA-AES256-SHA384 Failed    TLSv1  256 bits
ECDHE-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
ECDHE-RSA-AES256-SHA Rejected  TLSv1  256 bits
ECDHE-ECDSA-AES256-SHA Rejected  TLSv1  256 bits
SRP-DSS-AES-256-CBC-SHA Rejected  TLSv1  256 bits
SRP-RSA-AES-256-CBC-SHA Failed    TLSv1  256 bits
DHE-DSS-AES256-GCM-SHA384 Failed    TLSv1  256 bits
DHE-RSA-AES256-GCM-SHA384 Failed    TLSv1  256 bits
DHE-RSA-AES256-SHA256 Failed    TLSv1  256 bits
DHE-DSS-AES256-SHA256 Rejected  TLSv1  256 bits
DHE-RSA-AES256-SHA Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
Rejected  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  TLSv1
256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  TLSv1  256 bits
AECDH-AES256-SHA Rejected  TLSv1  256 bits  SRP-AES-256-CBC-SHA
Failed    TLSv1  256 bits  ADH-AES256-GCM-SHA384 Failed    TLSv1
256 bits  ADH-AES256-SHA256 Rejected  TLSv1  256 bits
ADH-AES256-SHA Rejected  TLSv1  256 bits  ADH-CAMELLIA256-SHA
Failed    TLSv1  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
TLSv1  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 Failed    TLSv1  256
bits  ECDH-RSA-AES256-SHA384 Failed    TLSv1  256 bits
ECDH-ECDSA-AES256-SHA384 Rejected  TLSv1  256 bits
ECDH-RSA-AES256-SHA Rejected  TLSv1  256 bits
ECDH-ECDSA-AES256-SHA Failed    TLSv1  256 bits  AES256-GCM-SHA384
Failed    TLSv1  256 bits  AES256-SHA256 Rejected  TLSv1  256 bits
AES256-SHA Rejected  TLSv1  256 bits  CAMELLIA256-SHA Failed
TLSv1  256 bits  PSK-AES256-CBC-SHA Rejected  TLSv1  168 bits
ECDHE-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
ECDHE-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
SRP-DSS-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
SRP-RSA-3DES-EDE-CBC-SHA Rejected  TLSv1  168 bits
EDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
EDH-DSS-DES-CBC3-SHA Rejected  TLSv1  168 bits  AECDH-DES-CBC3-SHA
Rejected  TLSv1  168 bits  SRP-3DES-EDE-CBC-SHA Rejected  TLSv1
168 bits  ADH-DES-CBC3-SHA Rejected  TLSv1  168 bits
ECDH-RSA-DES-CBC3-SHA Rejected  TLSv1  168 bits
ECDH-ECDSA-DES-CBC3-SHA Rejected  TLSv1  168 bits  DES-CBC3-SHA
Failed    TLSv1  168 bits  PSK-3DES-EDE-CBC-SHA Failed    TLSv1
128 bits  ECDHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
ECDHE-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
ECDHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
ECDHE-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
ECDHE-RSA-AES128-SHA Rejected  TLSv1  128 bits
ECDHE-ECDSA-AES128-SHA Rejected  TLSv1  128 bits
SRP-DSS-AES-128-CBC-SHA Rejected  TLSv1  128 bits
SRP-RSA-AES-128-CBC-SHA Failed    TLSv1  128 bits
DHE-DSS-AES128-GCM-SHA256 Failed    TLSv1  128 bits
DHE-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
DHE-RSA-AES128-SHA256 Failed    TLSv1  128 bits
DHE-DSS-AES128-SHA256 Rejected  TLSv1  128 bits
DHE-RSA-AES128-SHA Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
Rejected  TLSv1  128 bits  DHE-RSA-SEED-SHA Rejected  TLSv1  128
bits  DHE-DSS-SEED-SHA Rejected  TLSv1  128 bits
DHE-RSA-CAMELLIA128-SHA Rejected  TLSv1  128 bits
DHE-DSS-CAMELLIA128-SHA Rejected  TLSv1  128 bits
AECDH-AES128-SHA Rejected  TLSv1  128 bits  SRP-AES-128-CBC-SHA
Failed    TLSv1  128 bits  ADH-AES128-GCM-SHA256 Failed    TLSv1
128 bits  ADH-AES128-SHA256 Rejected  TLSv1  128 bits
ADH-AES128-SHA Rejected  TLSv1  128 bits  ADH-SEED-SHA Rejected
TLSv1  128 bits  ADH-CAMELLIA128-SHA Failed    TLSv1  128 bits
ECDH-RSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
ECDH-ECDSA-AES128-GCM-SHA256 Failed    TLSv1  128 bits
ECDH-RSA-AES128-SHA256 Failed    TLSv1  128 bits
ECDH-ECDSA-AES128-SHA256 Rejected  TLSv1  128 bits
ECDH-RSA-AES128-SHA Rejected  TLSv1  128 bits
ECDH-ECDSA-AES128-SHA Failed    TLSv1  128 bits  AES128-GCM-SHA256
Failed    TLSv1  128 bits  AES128-SHA256 Rejected  TLSv1  128 bits
AES128-SHA Rejected  TLSv1  128 bits  SEED-SHA Rejected  TLSv1  128
bits  CAMELLIA128-SHA Failed    TLSv1  128 bits
PSK-AES128-CBC-SHA Rejected  TLSv1  128 bits  ECDHE-RSA-RC4-SHA
Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA Rejected  TLSv1  128
bits  AECDH-RC4-SHA Rejected  TLSv1  128 bits  ADH-RC4-MD5 Rejected
TLSv1  128 bits  ECDH-RSA-RC4-SHA Rejected  TLSv1  128 bits
ECDH-ECDSA-RC4-SHA Rejected  TLSv1  128 bits  RC4-SHA Rejected
TLSv1  128 bits  RC4-MD5 Failed    TLSv1  128 bits  PSK-RC4-SHA
Rejected  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA Rejected  TLSv1  56
bits   EDH-DSS-DES-CBC-SHA Rejected  TLSv1  56 bits
ADH-DES-CBC-SHA Rejected  TLSv1  56 bits   DES-CBC-SHA Rejected
TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA Rejected  TLSv1  40 bits
EXP-EDH-DSS-DES-CBC-SHA Rejected  TLSv1  40 bits
EXP-ADH-DES-CBC-SHA Rejected  TLSv1  40 bits   EXP-DES-CBC-SHA
Rejected  TLSv1  40 bits   EXP-RC2-CBC-MD5 Rejected  TLSv1  40 bits
EXP-ADH-RC4-MD5 Rejected  TLSv1  40 bits   EXP-RC4-MD5 Rejected
TLSv1  0 bits    ECDHE-RSA-NULL-SHA Rejected  TLSv1  0 bits
ECDHE-ECDSA-NULL-SHA Rejected  TLSv1  0 bits    AECDH-NULL-SHA
Rejected  TLSv1  0 bits    ECDH-RSA-NULL-SHA Rejected  TLSv1  0
bits    ECDH-ECDSA-NULL-SHA Failed    TLSv1  0 bits    NULL-SHA256
Rejected  TLSv1  0 bits    NULL-SHA Rejected  TLSv1  0 bits
NULL-MD5

The cipher appears to be supported by both client (OpenSSL
s_client) and server (Also using the same version of OpenSSL) but
the handshake cannot complete.

Let's try another cipher. How about one that worked before:
DHE-RSA-AES256-SHA


<Connector port="8218"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" secure="true" scheme="https"
SSLCipherSuite="DHE-RSA-AES256-SHA" SSLCertificateKeyFile="[...]"
SSLCertificateFile="[...]" SSLCertificateChainFile="[...]"
SSLProtocol="TLSv1" executor="tomcatThreadPool" URIEncoding="UTF-8"
/>

$ openssl c_client -connect myhost:8218 [...] SSL-Session: Protocol
: TLSv1 Cipher    : DHE-RSA-AES256-SHA [...]

Works. Firefox 26 also works.

There must be some kind of problem with configuring
ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher?


Oh, I also tried this:

        <Connector port="8218"
                protocol="org.apache.coyote.http11.Http11AprProtocol"
                SSLEnabled="true"
                secure="true"
                scheme="https"
                SSLCertificateKeyFile="[...]"
                SSLCertificateFile="[...]"
                SSLCertificateChainFile="[...]"
                SSLProtocol="TLSv1"
                executor="tomcatThreadPool"
                URIEncoding="UTF-8" />

$ openssl s_client -connect myhost:8218 -cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
140418231797416:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

(Try some other cipher)
$ openssl s_client -connect myhost:8218 -cipher DHE-RSA-AES256-SHA

[...]
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
[...]

$ sslscan myhost:8218 | grep ECDHE-ECDSA
     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
     Failed    SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
     Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
     Rejected  SSLv3  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
     Failed    SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA256
     Rejected  SSLv3  128 bits  ECDHE-ECDSA-AES128-SHA
     Rejected  SSLv3  128 bits  ECDHE-ECDSA-RC4-SHA
     Rejected  SSLv3  0 bits    ECDHE-ECDSA-NULL-SHA
     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
     Failed    TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA384
     Rejected  TLSv1  256 bits  ECDHE-ECDSA-AES256-SHA
     Rejected  TLSv1  168 bits  ECDHE-ECDSA-DES-CBC3-SHA
     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256
     Failed    TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA256
     Rejected  TLSv1  128 bits  ECDHE-ECDSA-AES128-SHA
     Rejected  TLSv1  128 bits  ECDHE-ECDSA-RC4-SHA
     Rejected  TLSv1  0 bits    ECDHE-ECDSA-NULL-SHA

It looks like there is something wrong with the ECDHE-ECDSA suites. If
anything, this is an OpenSSL problem and not a Tomcat one: Tomcat
doesn't do anything with the crypto, here.

- -chris


Did you make an ECDSA cert?

. . . . still in RFP response mode, so only 1/2 cent here
/mde/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Reply via email to