-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/4/17 3:15 PM, James H. H. Lampert wrote: > Christopher Schultz (Tomcat list guru) wrote: /me bows >> Looks like your server only has ECDHE-based suites available, and >> the client supports none of those. Can you post your <Connector> >> configuration from conf/server.xml? > > Yes, and I can also post something else. > > I found the Java source for your own "SSLInfo" program (yes, I > actually do attempt to pursue any line of research that occurs to > me, even as I'm begging for help), compiled it, and put it onto > both the local box where the AS/400 is able to connect to the > Tomcat server, and on the cloud server where it isn't. > > On the local box, running Tomcat 7, I get: >> java -showversion SSLInfo java version "1.7.0_131" OpenJDK >> Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-2~deb8u1) >> OpenJDK Client VM (build 24.131-b00, mixed mode, sharing) >> >> Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * >> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA >> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA >> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> TLS_DH_anon_WITH_AES_128_CBC_SHA >> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >> TLS_DH_anon_WITH_AES_256_CBC_SHA >> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * >> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * >> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA * >> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA * >> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA >> TLS_ECDH_RSA_WITH_RC4_128_SHA >> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA >> TLS_ECDH_anon_WITH_AES_128_CBC_SHA >> TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA >> TLS_ECDH_anon_WITH_RC4_128_SHA * >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_RSA_WITH_AES_256_CBC_SHA * >> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 Right. That confirms that your Tomcat 7 server supports quite a few cipher suites, many of which are enabled by default. On that server, you'd have to specifically disable them in order for them not to work. (Some of them might be SSLv3 cipher suites, and would be disabled along with that protocol, but most cipher suites are for a "protocol X or higher" kind of thing). > and the relevant connector in server.xml (line breaks added, > sensitive information redacted) is > >> <Connector port="8090" >> protocol="org.apache.coyote.http11.Http11Protocol" >> compression="on" compressionMinSize="2048" >> noCompressionUserAgents="gozilla, traviata" >> compressableMimeType="text/html,text/xml,text/plain,text/css,text/jav ascript,text/json, >> >> >> application/x-javascript,application/javascript,application/json" >> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> maxPostSize="10485760" >> keystoreFile="/usr/share/apache-tomcat-7.0.57/$$$$$$$$$" >> keyAlias="$$$$$$$$" clientAuth="false" sslProtocol="TLS" /> Okay so you are in no way interfering with the defaults. That means you'll get (depending upon your exact versions of various things) a Tomcat which supports TLSv1 or later, and most of the cipher suites that are shown as "default" above. Your choice of TLS certificate may affect some of the things that you can do, but I see that you've got an RSA certificate from the output from SSLLabs, so you shouldn't have any problems with a DSS certificate or anything like that. (Use of DSS certs these days is fairly rare). > On the cloud box, running Tomcat 8, I get: >> java -showversion SSLInfo java version "1.7.0_151" OpenJDK >> Runtime Environment (IcedTea 2.6.11) (7u151-2.6.11-1~deb8u1) >> OpenJDK 64-Bit Server VM (build 24.151-b01, mixed mode) >> >> Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * >> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA >> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA >> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> TLS_DH_anon_WITH_AES_128_CBC_SHA >> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >> TLS_DH_anon_WITH_AES_256_CBC_SHA >> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * >> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * >> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA * >> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * >> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA * >> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * >> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA >> TLS_ECDH_RSA_WITH_RC4_128_SHA >> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA >> TLS_ECDH_anon_WITH_AES_128_CBC_SHA >> TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA >> TLS_ECDH_anon_WITH_RC4_128_SHA * >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_RSA_WITH_AES_256_CBC_SHA * >> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 No surprise here, since the OpenJDK version is only a patch-level off from the previous. I didn't look at every cipher suite, but it looks like the same list. > and the connector here is, with the exception of port number and > keystore information, the same. Strange. I would have expected Tomcat to enable more cipher suites with a default configuration given the SSLInfo output above. Are you sure you are using the same Java version with Tomcat as you did to run those commands above? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVNdMdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiA4hAApxtgwcB2Kd06fPZf 21CJbNj97kywm0cwYVqh0lq/LNvT0iJtv1PsSw6wvG1g8yMw2B9fkrE6VHnkmKpz mRPbYQ7ukF6TRZFgZyfP/ntgTTKrJr4mGRwsxGLB6Guu0ME7TqQb8i/Y6xCZxdIQ xA38BYfaRCWzD5XC+EC6FNZKSS/OWItRNUshN8yLiN0pghfMogCB0HQcMztIN7P1 bVt5f0PWFoYZO9/UxCClmmrWl/dGa4ORmkGmBjNWRLf14ej0uNLpSJy9ElH85ov4 askXvqB84v4uxAu8weGlOK9zK/HEqxjMrDfSSM3Un7yRKBiPIUXkTg/IE1JVMQDn pKwlvqtMXuwggkTMyu3ixBfAV2fdb1dNNBx0ejmvjF50xfCiZfSlkw/Cp9JXFbKb 7PqrUc5sM3WLqG344TfGwWGhtQ41DNZggsn9iDwwBpcHGCRtIdftI7kUk+xPnKV1 sNEFlMb02DxaDscfcNFt6HqEy7tYXE8XXRMYRnHpP5EGNx8OPRCt+3FHW77EG4Hp McHAqH88DyqVCzFy9eUYuJ8wYfU5N4v+t2msrqpixTbSzy7cccYC9cQWUqLQuKYS 1VAwUvfqX/sZg6jGVqVxAqi3jBMviLs8cw5MxlCtgBCZO5/7gvKo42wZ78fyojOw xNUjYRY3XRS+Cb1RTJEOQ6K9ots= =Zs7F -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
