-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steffen,
On 6/16/14, 12:01 PM, Steffen Heil (Mailinglisten) wrote: > Okay, I must have overlooked the "keystoreProvider" attribute > completely. Sorry for that and thanks a lot for the hint. > > However that only solved the loading part of the problem. The > certificate is still unusable. > > When I try to connect, the browser reports an error. I set > javax.net.debug=all and got the output below. > > I notice, that the server and the client cannot agree on the > ciphersuite (fatal error: 40: no cipher suites in common) but I am > lost on what I would need to configure. I did remove all settings > of sslProtocol, sslProtocols and ciphers, as I think my old > defaults will not match a ECC certificate, but still it does not > work. > > Any further hint? Try connecting with openssl s_client instead of a browser. Then you can get more information on the client side. Are you sure your browser supports ECC? Also, Java (Oracle JRE v1.0.7) supports ECDH and ECDHE cipher suites like these: * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 I'm no expert on the JRE's support for crypto algorithms and certificates, but the above seems to indicate that ECC is in fact supported. Am I missing something? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJToFzgAAoJEBzwKT+lPKRYkRkQALuTcXQKrxgm+gLVNkBML8cI A7ApPKTNP1xXu3MeqM9EDgeKScbAIi0PQzB/tNdfYMzu+/IznqtXAElND3hNBm7p Guhy5hyApQzuCrY1jUSUT/+/rQ5E8KCnYFS6aBD9cbkI4D9HMk3BiWFpVhgPyYEt dBEAm/Ftk+4dZzl/yns+HjnafIkHzRgxRkVxl/HGtaFnT45SGETMYRJv/Pz+p6sD Xh19hgza43JEPzMW6Wp+zCkVMnmcciEoFjWNqQeADObSUDwc6mNsbOO6i6GLZxjH AGr4BRvRUqP7WC06nO4zFUHtqffDBMej6PJH3lNc1rGD9PyoKtHsbfPnZ+Phcloe DwX3XerojLt/SpRJqe4jNH0WSx2NBbdBoqm5/AImMMsInJjr+PXeLn5+x+C/9grd dYwtJ/ytUfuybXtVHRnhnAZ6pG0KDSNG0QGvsNhmyu/s5o1GDiwC9tdm/n9ZFTI8 tUOMRwX7hAELYwBRx1/TNEB6FU7y8JXMiW1nQLKrjaA0R3RFMpq4Vrbbbuoev87f jDi4ZULw7VudyCvlc9QOv7aSCaqEHxnkHtlFVBHmWFwrLnSiHY1qvdtIA2k4RDAn 1orA+1XdCLFOyVf78hEpUS/xhdZz2izY4wqxHjLw0aMxPhCspA/NrBwBuPWYhfMZ c3KusK9QnZiA66xjYRVb =8+su -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
