2016-09-22 6:16 GMT-04:00 André Warnier (tomcat) <a...@ice-sa.com>: > Dono, > > Ok, this is really a long shot, and I really do not know what I am > talking about.. > > I just want to point out that in the course of doing some searches on the > WWW with keywords related to your issue, I seemed several times to come > across articles which were referring to some restrictions in Java > cryptography, having to do with US export regulations (cryptography being > an area submitted in part to such rules). > In my limited understanding, the apparent gist of it seemed to be that > - for systems based in the US, by default some java-cryptographic modules > allow some encryption methods (or key strengths etc.) > - while for non-US-based systems some of these methods/strengths are by > default disabled > To re-enable these methods, one has to either change some java parameters > (at the risk of falling foul of said export restrictions), or replace some > standard underlying libraries, by other similar ones developed outside of > the US. > And, in some cases, such "similar" libraries may throw exceptions where > the standard ones would not. > All of the above to take with a grain of salt, considering my almost total > lack of knowledge in the matter. > But, considering that your production system may be one case, and your > staging systems another, and considering that so far nobody seems to have > found the ultimate answer to your problem, this could be an area to > investigate. > > I will make another wild guess : a lot of people on this list probably > either work predominantly on US-based systems, or don't know about such > restrictions, or are unfamilar with them, and for such reasons have > probably never encountered the kind of issue which you mention. So it is > probably no wonder that everyone seems to be a bit in the dark (including > myself). > > Not exactly that. By default, Java is shipped or distributed without the Unlimited Strength Policy Files (you have to replace 2 jar in jre/lib/security). The reason they are not installed by default being they are not legal everywhere. If it is legal in your country, you can simply install them and you have exactly the same libraries and algorithms as those who are having by default an unrestricted installation. For Oracle JDK 1.8, you can download the files from this URL: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
I have many Tomcat instances doing TLSv1.2 without problem. I only encountered problems with Tomcat 7 on one server for a still unknown reason and very unlikely related to Java itself. I have over 70 Tomcat instances all running TLSv1.2 and in usage daily 7/24. I am using the Unlimited Strength Juristiction Policy Files for Java 8. Regards,
