-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter and James,
On 5/30/19 01:22, Peter Kreuser wrote: > James, > > Outbound SSL is usually handled by the underlying Java VM. Yep. Tomcat doesn't have any code to make outgoing TLS connections. >> Am 29.05.2019 um 20:57 schrieb James H. H. Lampert >> <jam...@touchtonecorp.com>: >> >> We have a customer that is running our Tomcat-based webapp, and >> it is apparently having trouble accessing a Google web service. >> >> The error message they're getting is: >> >>> Unable to find acceptable protocols. isFallback=false, >>> modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM _SHA256, >>> >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >>> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, >>> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA], >>> tlsVersions=[TLS_1_2, TLS_1_1, TLS_1_0], >>> supportsTlsExtensions=true), >>> ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 , >>> >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >>> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, >>> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA], >>> tlsVersions=[TLS_1_0], supportsTlsExtensions=true), >>> ConnectionSpec()], supported protocols=[TLSv1] > > These are the ciphers and protocols requested. Are these two > different services? If that is from server and client the ciphers > are OK and protocols also overlap. I don't think that's a list of the server, client supported protocols. There is also an empty one at the end (TLSv1, no cipher suites). > What strikes me though is the difference in TLS versions and > supported protocols. > >> Is this something that could be caused by a Tomcat configuration >> issue? > > Not really Tomcat. Java. Unless you set specific values on the > connection. Or on the commandline. > > Could you please let us know the Java version and maybe the > Connection settings? JAVA_OPTS? It would also be a good idea to run good 'ole SSLLabs server test against the service. If it's an internal service or one that can't be scanned by Qualys, then you can try this tool which is roughly equivalen t: https://github.com/ChristopherSchultz/ssltest Then check the capabilities of the client you are working with. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzwCo0ACgkQHPApP6U8 pFggbBAAtRZu9HL2h45cWeml1QA8vpMiq5aZTBvNAR+h6YuqRTsMwHPTC0SAJ3S+ COPsihXZe0xFSbYh8SjeZoxQSiZnP9Nu6r2EBSwlzOfNGaGBw7Bev9Ga2Mhbwg40 GJbwED9D4DIZ+5ALBRVJzrxgnl/zXeI5cbKVIgA3VtomFZtjGqxTmaRPX7O2dRoU 4GBQzBQIOHia1ppdWOYDtJ+1lqMMd8kuONTrUeEGAi/WjKvZ+IMhFzAtnKwh7MNO HzLnNy7f5c33wNjnLArJF0t406AOF+qm6izfFKQBJrmpX2SRiCgH8UcpClTlHj9u lnNevGM7YyY9f43BC64XZ2Wugpw0fUPvypyCmv7VkYvra17wOwl6qj2loj/eVB4b tuYvECogZZvGLiNDdXyZO/PKIATVJiVmFP1W/k7dHDLBN4hkn88REZj9IugWO9iU /NuPkLVcDC5S2YXMSk7MPlsxAAA6kpaXhf7dsDpIC7KrrrIyDt2gJsJNlU1o6v7L uL4HHyI+nVPGPqLCAsd4MNjt3j9lvhDqCxdnSoFUnhGJypLh9RttzhpBoKA7zN2T 56i84UkDoVYs+HWExZ6F4H8kgqm1/ZhwHuhdQK/pyl/B1uNi6TIjN5z/TbdIp9ZR SwrEKJ94od3dYG2w8lAbG18FDn154fh7/ZgvhIb3rWxs1YbSkgw= =Xqgz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
