On 01/20/2015 10:08 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Matthew,
On 1/18/15 1:54 PM, Matthew Mah wrote:
I have setup a Tomcat server using spring-boot with SSL/TLS for
secure websockets.
Tomcat version? JVM version? Any relevant configuration?
Tomcat 8.0.15.
multiple JVM:
java version "1.7.0_55" OpenJDK Runtime Environment
java version "1.7.0_65" OpenJDK Runtime Environment
java version "1.7.0_71" OpenJDK Runtime Environment
I have tried the default ciphers, as well as:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed as both supported and
enabled for Android API 11+
http://developer.android.com/reference/javax/net/ssl/SSLSocket.html
I would prefer a stronger cipher suite (not SHA1), but right now I am
looking for anything that works.
This works for Android 4.4, iOS, Firefox, and Chrome clients.
Android 5.0 clients (Nexus 5) fail the SSL handshake.
What protocol and ciphers are those working browsers using?
Chrome: TLS 1.2 ECDHE RSA AES 128 CBC SHA1
Firefox: TLS v? ECDHE RSA AES 128 CBC SHA1
Check the archives for a somewhat recent post by me including code to
scan an SSL server for the protocols and ciphers it supports.
That's a great tool you've written. Using the shortlist of cipher suites
on Tomcat above, this is supported:
Accepted TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Has anyone successfully setup secure websockets with Android 5?
I know there are SSL/TLS changes in Android 5, and so far I am
unable to find any combination of configurations on the server and
client to successfully connect. If someone else has gotten this to
work, at least I will know I am making an error somewhere.
I have details posted on stack overflow:
http://stackoverflow.com/questions/28011581/android-5-0-lollipop-websocket-ssl-handshake-failure
It
looks like you might have to re-enable the SSL2hello
pseudo-protocol, which is weird because Android 5 should definitely
speak TLS.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUvm93AAoJEBzwKT+lPKRYawkQAIaON8MmU0bTw0RYmzuvcL1X
uPP23ARjgfNpL04skX/+Rmy6fuHF5zmwhSeABDaHnhx/Uuyobpz+5W9/nXF1IyCq
eb6wuGIrQfjHBvvA3vUHN46hNOCrN1hT/ky5oGaXcKShepNB5psl+3/l2zWSIosv
535YYYb59LLykMPEC99LNKjwHszPTciFlbiBJqkbGDWu3AxZ5iaQw8T+UlxtgHsc
Mh5UlsC72hi9lkeQ9fpwV74dqpitJsVz336D2gXjtz6MeIgBc0BWYrzHCTtL4Ra7
ISk/T5wHNZTYD4iINTCrWQ4uBGazIs3x91Y8MpKHA9kiBJPZMNqX0UiED+ZuAD0x
wT/9MTVyzz1YK9e8i1crcCb3EKEC4aYD6QRLoxqet9i5Bkp2ZGbUoSzw70CmEhz+
w/jHzWJ/pVVIPsxBduFRdj4R+wlYNK/wp6Qyr6EX2Fgm3ZE0MJuAH8OirnYgizrj
p/vu17S/P6e8xf1q+3rcWj1ar4/1C73CVOzs1G71dAlx3KaT+DIW2CkZrySYQP29
BpEFjYy08pUUIaG36V5Jeylmz1PeF78CpSV/MD0/XdP8Ar8ayoEfFngkPKCm2e4q
KF87qDZ9ylAX97Qn2hmXZKnW2AhXsi3BTf/Z/Z6eDKywhSFuWL4yO2gDrwBHZ+rb
ye41SxCVoaxzodEO62Bw
=yZdl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
