-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
You don't seem to have received a response about this...
On 10/11/16 2:13 PM, Daniel Savard wrote:
> I have a problem which evades me for a too long time. I am just
> unable to find out what is wrong. I have a Tomcat 7.0.72 (version
> doesn't matter the problem exists with 7.0.68 and 7.0.70 as well)
> with Oracle JDK 1.8.0_102 (the version doesn't matter much neither
> since the problem manifests with 1.8.0_92, 1.8.0_77 as well).
>
> My Tomcat is unable to complete its TLSv1.2 handshaking protocol. I
> am getting this in my log when enabling SSL debug:
>
> [snip]
>
> The key message seems to be: Extension elliptic_curves, curve
> names: {unknown curve 29,
> java.security.spec.ECParameterSpec@2b839e7c,
> java.security.spec.ECParameterSpec@55e0b1ed}
That seems okay to me: Java understands 2 of the 3 curves supported by
the client. Curve 0x19 is secp521r1 which is not mentioned by the NSA
Suite B publication, so it's often not implemented.
> I should get something with a list of recognized curves.
It looks like 2 of them are recognized.
> Later, when the server will complete the handshaking with a fatal
> error, it will obviously fail agreeing on the curve and share
> parameters. Like this:
>
> -------------------------
>
> ****** ECDH ServerKeyExchangeSignature Algorithm
> SHA512withRSAServer key: com.rsa.cryptoj.o.fn@a9c1e230***
> ServerHelloDone
>
> --------------------------
It "will", or it /does/?
> Where I should get the name of the curve and the parameters for the
> shared secret.
If the runtime doesn't implement the curve, you can't use it. The
question is why the client and the server won't use the two curves
they *do* agree on.
Which client is this? Many clients (e.g. Google Chrome, MSIE/Edge)
don't support curve #19. I use Mozilla Firefox, which currently does
support curve #19. Does your TLS site work with Firefox? Apple Safari
also supports curve #19.
> Since I have some other instances on the same server running just
> fine. I wonder what I should look for. What can lead to this
> failure?
>
> Yes, I have the Unlimited JCE Policy installed and working for
> other instances of Tomcat 8. Both Tomcat 8 and Tomcat 7 on this
> server share the very same JDK.
The JCE security policy probably isn't affecting this.
> In the Firefox browser, the message is as follow: Unsupported
> elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE
> Which is the most descriptive message among the three following
> browsers: IE 11, Chrome and Firefox. IE11 and Chrome are
> complaining about TLS protocol error without saying anything about
> the cause of the error.
Can you post your <Connector> configuration?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYI5EcAAoJEBzwKT+lPKRYeOoP/2BrT/w7LUqtWArAvM+ZiTv1
DCc/aLV2vmpS4v4LZo3oKPw3Ar4C0jeqH4XT9/fkW7Xe5zUsf1saguUL9jtfit1K
p2Rwu9kgLBkeXq4zRIcFmE0CL1pS2aG8qXRY6Uzoz9ij1Pd2biXcsNecirC/ISTI
oJUSiHkbT9SZ6dePsgsfbrARP2Z+C4TiIZe+Aum9J/StQK/go3RogX1vbRCtVwRb
KV0E8CDz405to9+QCgzI+27pBZfm4YX9oukK4oiz6P4fi/JsYKarDl2twIXIGgSc
FETU/FE3W8qBNNU4o9yse7obNHq8UoDqOI3IEie9+We5fst2aNzSk0+jFmvXXaK9
1h38ca690qoAGp/ZNkB0scxq4v89XQHUc/I+Rq65UDEPZ9WZZqwBeyCLf/j9TyRs
MK9oISk58Yr8owLpIqv5lEzSr3nVCfAlegdOtawRd2jY3PvilJ7DhHzpvjqBYvwF
WBHuzB6N2ZdkP6aBHHzHCv20ihl7KfLWSpvOl5XJ32wNF1zT7bbaCDEi9Bhk7SQ4
Mu12gAWbwvFQ+dHE7OPAHKfRgHDLsHJLDhkDGqRKbmbDKsNvBajTQTsDZWN7gvVy
RnEX6kiibVVAI1ZtAJtpe9iizWicZNxCU9Dkp90FWLfDxgOV1EDEar5ugkr/61v1
R+dRyrm1xgENrzkF+1KK
=fuYO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
