I face the same issue with tomcat 7.0.47. you can find the details below, how i apply the patches and things get worked.
By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(00000003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -----BEGIN CERTIFICATE----- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -----END CERTIFICATE----- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...........V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.....;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ......T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..*.... 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a ......<w....' .. 0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8 @.....h.^..=rFV. 0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4 .f.oW....R...f.. 00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48 .......5.F...7.H Start Time: 1388926368 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- read:errno=0 /////////////////*******Server.xml***********************/////////////////////////// <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" SSLProtocol="all" clientAuth="false" SSLCertificateFile="/home/san/sinful.pem" SSLCertificateKeyFile="/home/san/sinful.key" /> ........................................................................................................................................................ How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, Sanaullah On Tue, Sep 2, 2014 at 10:34 PM, Amos Anderson <amos.ander...@protabit.com> wrote: > Hello Tomcat Users -- > > I posted this question elsewhere yesterday and then realized I should have > sent it to this mailing list. > > > I'm trying to configure tomcat7 to support TLS 1.2 (which was released 6 > years ago). I can get TLS 1.0 to work, but NIST [says][1] that I "shall > not" use TLS 1.0. I know I can use JSSE instead to get TLS 1.2, but why > can't I get APR to support it? A few online guides I've read recommend APR > over JSSE, it looks like I get better ciphers out of the box with > APR/OpenSSL than JSSE, and I can use cipher suites with OpenSSL so it seems > easier to maintain. > > According to [this][2] bug report it might be available with a patch, but > I'd have guessed it would be standard by now. Is there some other gratis > way of getting OpenSSL in tomcat, or is it simply the case that there's > insufficient interest tomcat native for security purposes? > > For reference, I've got Tomcat 7.0.55 and tomcat-native 1.1.30. I don't > get any warning during startup, and I know I'm only getting TLS 1.0 is > because that's what clicking the lock in my browser tells me and [Qualys > SSL Labs][3] says TLS 1.2 is not available on my server. My connector is: > > <Connector port="8443" scheme="https" secure="true" SSLEnabled="true" > ... > SSLProtocol="TLSv1"/> > > And note that `TLSv1` is the [only][4] TLS value allowed for > `SSLProtocol`. Following `mod_ssl`'s `SSLProtocol`, I tried `TLSv1.2` but > that drew an exception. Unfortunately, I can't find any discussion of this > online. > > > Thanks! > Amos. > > > > > [1]: > http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf > [2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 > [3]: https://www.ssllabs.com/ssltest/index.html > [4]: > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
