Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in tomcat 7.0.47 or just trying them-self to look over smart. Hi Mudassir, By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(0003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ..T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..* 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a .. How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, San On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian wrote: > On 1/4/2014 3:08 PM, Christopher Schultz wrote: > > Musassir, > > > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > > Again, we have to submit this as a bug.TLS 1.2 is not working > > > in Tomcat > > > > Tomcat 7.0.74 > > Oracle Java 1.7.0_45 > > tcnative 1.1.29 trunk (essentially 1.2.29 > > > > tcnative$ make clean > > tcnative$ ./configure --with-apr=`which apr-config` > > --with-java-home=/usr/local/java-7 --with-ssl > > tcnative$ time make > > [...] > > make[1]: Leaving directory > > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > > > real0m14.790s > > user0m15.300s > > sys0m1.840s > > > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > > > tcnative$ cd $CATALINA_BA
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 3:08 PM, Christopher Schultz wrote: > Musassir, > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > Again, we have to submit this as a bug.TLS 1.2 is not working > > in Tomcat > > Tomcat 7.0.74 > Oracle Java 1.7.0_45 > tcnative 1.1.29 trunk (essentially 1.2.29 > > tcnative$ make clean > tcnative$ ./configure --with-apr=`which apr-config` > --with-java-home=/usr/local/java-7 --with-ssl > tcnative$ time make > [...] > make[1]: Leaving directory > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > real0m14.790s > user0m15.300s > sys0m1.840s > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > tcnative$ cd $CATALINA_BASE > > tomcat$ cat conf/server.xml > > [...] >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="all" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > [...] > > tomcat$ bin/startup.sh > > [...] > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init > INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR > version 1.4.6. > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > [false], random [true]. > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > [...] > > tomcat$ openssl s_client -connect myhost:8218 > [...] > verify error:num=19:self signed certificate in certificate chain > [...] > SSL-Session: > Protocol : TLSv1.2 > Cipher: DHE-RSA-AES256-GCM-SHA384 > [...] > > *disconnect* > > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > > Looks like TLS1.2 works just fine in the default configuration > (SSLProtocol="all" is the default). > > Let's try your configuration. I'm only going to change SSLProtocol > from "all" to "TLSv1": > >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="TLSv1" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > > * Restart Tomcat* > > tomcat$ openssl s_client -connect myhost:8218 > [...] > SSL-Session: > Protocol : TLSv1 > Cipher: DHE-RSA-AES256-SHA > [...] > > Trying again with Firefox 26 give me > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > > Let's try restricting to only your cipher. Let's make sure that my > OpenSSL version supports it, first: > > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) > Mac=SHA256 > > > Yup. Let's configure it in Tomcat: > >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="TLSv1" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > > > $ openssl s_client -connect myhost:8218 > CONNECTED(0003) > 139718306563752:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:741: > > $ openssl s_client -tls1 -connect myhost:8218 > CONNECTED(0003) > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > alert handshake failure:s3_pkt.c:1256:SSL alert number 40 > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:596: > > $ openssl s_client -tls1_1 -connect myhost:8218 > CONNECTED(0003) > 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:337: > > $ openssl s_client -tls1_2 -connect myhost:8218 > CONNECTED(0003) > 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:337: > > Firefox also fails with "ssl_error_no_cypher_overlap". > > $ $ sslscan myhost:8218 >_ >___ ___| |___ ___ __ _ _ __ > / __/ __| / __|/ __/ _` | '_ \ > \__ \__ \ \__ \ (_| (_| | | | | > |___/___/_|___/\___\__,_|_| |_| > > Version 1.8.2 > http://www.titania.co.uk > Copyright Ian Ventura-Whiting 2009 > > Testing SSL
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 3:08 PM, Christopher Schultz wrote: > Musassir, > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > Again, we have to submit this as a bug.TLS 1.2 is not working > > in Tomcat > > Tomcat 7.0.74 > Oracle Java 1.7.0_45 > tcnative 1.1.29 trunk (essentially 1.2.29 > > tcnative$ make clean > tcnative$ ./configure --with-apr=`which apr-config` > --with-java-home=/usr/local/java-7 --with-ssl > tcnative$ time make > [...] > make[1]: Leaving directory > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > real0m14.790s > user0m15.300s > sys0m1.840s > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > tcnative$ cd $CATALINA_BASE > > tomcat$ cat conf/server.xml > > [...] >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="all" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > [...] > > tomcat$ bin/startup.sh > > [...] > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init > INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR > version 1.4.6. > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > [false], random [true]. > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > [...] > > tomcat$ openssl s_client -connect myhost:8218 > [...] > verify error:num=19:self signed certificate in certificate chain > [...] > SSL-Session: > Protocol : TLSv1.2 > Cipher: DHE-RSA-AES256-GCM-SHA384 > [...] > > *disconnect* > > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > > Looks like TLS1.2 works just fine in the default configuration > (SSLProtocol="all" is the default). > > Let's try your configuration. I'm only going to change SSLProtocol > from "all" to "TLSv1": > >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="TLSv1" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > > * Restart Tomcat* > > tomcat$ openssl s_client -connect myhost:8218 > [...] > SSL-Session: > Protocol : TLSv1 > Cipher: DHE-RSA-AES256-SHA > [...] > > Trying again with Firefox 26 give me > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > > Let's try restricting to only your cipher. Let's make sure that my > OpenSSL version supports it, first: > > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) > Mac=SHA256 > > > Yup. Let's configure it in Tomcat: > >protocol="org.apache.coyote.http11.Http11AprProtocol" >SSLEnabled="true" >secure="true" >scheme="https" >SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" >SSLCertificateKeyFile="[...]" >SSLCertificateFile="[...]" >SSLCertificateChainFile="[...]" >SSLProtocol="TLSv1" >executor="tomcatThreadPool" >URIEncoding="UTF-8" /> > > > $ openssl s_client -connect myhost:8218 > CONNECTED(0003) > 139718306563752:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:741: > > $ openssl s_client -tls1 -connect myhost:8218 > CONNECTED(0003) > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > alert handshake failure:s3_pkt.c:1256:SSL alert number 40 > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:596: > > $ openssl s_client -tls1_1 -connect myhost:8218 > CONNECTED(0003) > 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:337: > > $ openssl s_client -tls1_2 -connect myhost:8218 > CONNECTED(0003) > 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:337: > > Firefox also fails with "ssl_error_no_cypher_overlap". > > $ $ sslscan myhost:8218 >_ >___ ___| |___ ___ __ _ _ __ > / __/ __| / __|/ __/ _` | '_ \ > \__ \__ \ \__ \ (_| (_| | | | | > |___/___/_|___/\___\__,_|_| |_| > > Version 1.8.2 > http://www.titania.co.uk > Copyright Ian Ventura-Whiting 2009 > > Testing SSL
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel Ĺ ebek. may be that need to apply https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1 On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah wrote: > you can create the ECC self singed certificates using the below two > commands of Openssl > > openssl ecparam -out sinful.key -name prime256v1 -genkey > openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM > -days 3650 > > root@ubuntu:/# openssl s_client -connect localhost:8443 > CONNECTED(0003) > Server certificate > -BEGIN CERTIFICATE- > MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC > TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF > YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw > MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD > VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq > hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg > +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E > FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR > JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p > X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ > EmVg3uQq9XxPfiI= > -END CERTIFICATE- > > --- > SSL handshake has read 836 bytes and written 453 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA > Server public key is 256 bit > Secure Renegotiation IS supported > > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher: ECDH-ECDSA-AES256-SHA > Session-ID: > 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 > Session-ID-ctx: > Master-Key: > 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 > > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de > 9._1x.f}G{.. > 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e > ...%.7s.P..> > 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 > .Qb..m.6 > 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f > q^.4..[. > 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 > \?m...;..6.?..U. > 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 > H7s.u"..(...|..6 > 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab > D13nQ.O^ > 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c > ..{.i..w.:.j..0| > 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 > ...?..a.-XK. > 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 > IL"mV.U..'z? > 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 > ...Nw.."...h > > Start Time: 1388891510 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > > > I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers > > Here is my config > tomcat 7.0.47 > libapr 1.5.0-1 > tcnative 1.1.29-1 > > SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >clientAuth="false" sslProtocol="TLS" >SSLProtocol="all" >SSLCertificateFile="/home/san/sinful.pem" >SSLCertificateKeyFile="/home/san/sinful.key" /> > > > > > On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Mark, >> >> On 1/4/14, 6:37 PM, Mark Eggers wrote: >> > On 1/4/2014 1:18 PM, Christopher Schultz wrote: >> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> >> >> Musassir, >> >> >> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: >> >>> Musassir, >> >>> >> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: >> Again, we have to submit this as a bug.TLS 1.2 is not >> working in Tomcat >> >>> >> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk >> >>> (essentially 1.2.29 >> >>> >> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which >> >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl >> >>> tcnative$ time make [...] make[1]: Leaving directory >> >>> `/home/cschultz/projects/tomcat-native-1.1.x/native' >> >>> >> >>> real0m14.790s user0m15.300s sys0m1.840s >> >>> >> >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin >> >>> >> >>> tcnative$ cd $CATALINA_BASE >> >>> >> >>> tomcat$ cat conf/server.xml >> >>> >> >>> [...] > >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >> >>> SSLEnabled="true" secure="true" scheme="https" >> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" >> >>> SSLCertificateChainFile="[...]" SSLProtocol="all" >> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] >> >>> >> >>> tomcat$ bin/startup.sh >> >>> >> >>>
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
you can create the ECC self singed certificates using the below two commands of Openssl openssl ecparam -out sinful.key -name prime256v1 -genkey openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650 root@ubuntu:/# openssl s_client -connect localhost:8443 CONNECTED(0003) Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- --- SSL handshake has read 836 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDH-ECDSA-AES256-SHA Session-ID: 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 Session-ID-ctx: Master-Key: 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de 9._1x.f}G{.. 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e ...%.7s.P..> 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 .Qb..m.6 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f q^.4..[. 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 \?m...;..6.?..U. 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 H7s.u"..(...|..6 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab D13nQ.O^ 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c ..{.i..w.:.j..0| 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 ...?..a.-XK. 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 IL"mV.U..'z? 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 ...Nw.."...h Start Time: 1388891510 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers Here is my config tomcat 7.0.47 libapr 1.5.0-1 tcnative 1.1.29-1 On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > > On 1/4/14, 6:37 PM, Mark Eggers wrote: > > On 1/4/2014 1:18 PM, Christopher Schultz wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >> > >> Musassir, > >> > >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: > >>> Musassir, > >>> > >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > Again, we have to submit this as a bug.TLS 1.2 is not > working in Tomcat > >>> > >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk > >>> (essentially 1.2.29 > >>> > >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which > >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl > >>> tcnative$ time make [...] make[1]: Leaving directory > >>> `/home/cschultz/projects/tomcat-native-1.1.x/native' > >>> > >>> real0m14.790s user0m15.300s sys0m1.840s > >>> > >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin > >>> > >>> tcnative$ cd $CATALINA_BASE > >>> > >>> tomcat$ cat conf/server.xml > >>> > >>> [...] >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="all" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] > >>> > >>> tomcat$ bin/startup.sh > >>> > >>> [...] Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded > >>> APR based Apache Tomcat Native library 1.1.30 using APR version > >>> 1.4.6. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR > >>> capabilities: IPv6 [true], sendfile [true], accept filters > >>> [false], random [true]. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener initializeSSL > >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb > >>> 2013) [...] > >>> > >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify > >>> error:num=19:self signed certificate in certificate chain > >>> [...] SSL-Session: Protocol : TLSv1.2 Cipher: > >>> D
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/4/14, 6:37 PM, Mark Eggers wrote: > On 1/4/2014 1:18 PM, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> Musassir, >> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: >>> Musassir, >>> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat >>> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk >>> (essentially 1.2.29 >>> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl >>> tcnative$ time make [...] make[1]: Leaving directory >>> `/home/cschultz/projects/tomcat-native-1.1.x/native' >>> >>> real0m14.790s user0m15.300s sys0m1.840s >>> >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin >>> >>> tcnative$ cd $CATALINA_BASE >>> >>> tomcat$ cat conf/server.xml >>> >>> [...] >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" secure="true" scheme="https" >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" >>> SSLCertificateChainFile="[...]" SSLProtocol="all" >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] >>> >>> tomcat$ bin/startup.sh >>> >>> [...] Jan 04, 2014 3:17:26 PM >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded >>> APR based Apache Tomcat Native library 1.1.30 using APR version >>> 1.4.6. Jan 04, 2014 3:17:26 PM >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR >>> capabilities: IPv6 [true], sendfile [true], accept filters >>> [false], random [true]. Jan 04, 2014 3:17:26 PM >>> org.apache.catalina.core.AprLifecycleListener initializeSSL >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb >>> 2013) [...] >>> >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify >>> error:num=19:self signed certificate in certificate chain >>> [...] SSL-Session: Protocol : TLSv1.2 Cipher: >>> DHE-RSA-AES256-GCM-SHA384 [...] >>> >>> *disconnect* >>> >>> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can >>> connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. >>> >>> Looks like TLS1.2 works just fine in the default configuration >>> (SSLProtocol="all" is the default). >>> >>> Let's try your configuration. I'm only going to change >>> SSLProtocol from "all" to "TLSv1": >>> >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" secure="true" scheme="https" >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> >>> >>> * Restart Tomcat* >>> >>> tomcat$ openssl s_client -connect myhost:8218 [...] >>> SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA >>> [...] >>> >>> Trying again with Firefox 26 give me >>> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. >>> >>> Let's try restricting to only your cipher. Let's make sure that >>> my OpenSSL version supports it, first: >>> >>> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 >>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA >>> Enc=AES(128) Mac=SHA256 >>> >>> >>> Yup. Let's configure it in Tomcat: >>> >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" secure="true" scheme="https" >>> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> >>> >>> >>> $ openssl s_client -connect myhost:8218 CONNECTED(0003) >>> 139718306563752:error:14077410:SSL >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >>> failure:s23_clnt.c:741: >>> >>> $ openssl s_client -tls1 -connect myhost:8218 >>> CONNECTED(0003) 139965071759016:error:14094410:SSL >>> routines:SSL3_READ_BYTES:sslv3 alert handshake >>> failure:s3_pkt.c:1256:SSL alert number 40 >>> 139965071759016:error:1409E0E5:SSL >>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: >>> >>> $ openssl s_client -tls1_1 -connect myhost:8218 >>> CONNECTED(0003) 140680041133736:error:1408F10B:SSL >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: >>> >>> $ openssl s_client -tls1_2 -connect myhost:8218 >>> CONNECTED(0003) 139976873068200:error:1408F10B:SSL >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: >>> >>> Firefox also fails with "ssl_error_no_cypher_overlap". >>> >>> $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ >>> __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | >>> |___/___/_|___/\___\__,_|_| |_| >>> >>> Version 1.8.2 http://www.titania.co.uk Copyright Ian >>> Ventura-Whiting 2009 >>> >>> Testing SSL server myhost on port 8218 >>> >>> Supported Server Cipher(s): FailedSSLv3 256 bits >>> ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 1:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user 0m15.300s sys 0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol="all" is the default). Let's try your configuration. I'm only going to change SSLProtocol from "all" to "TLSv1": * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with "ssl_error_no_cypher_overlap". $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-SHA256 FailedSSLv3 256 bits DHE-DSS-AES256-SHA256 Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA Rejected SSLv3 256 bits AECDH-AES256-SHA Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA FailedSSLv3 256 bits ADH-AES256-GCM-SHA384 FailedSSLv3 256 bits ADH-AES256-SHA256 Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA FailedSSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDH-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDH-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA FailedSSLv3 256 bits AES256-GCM-SHA384 FailedSSLv3 256 bits AES256-SHA256 Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 256 bits CAMELLIA256-SHA Failed S
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: > Musassir, > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: >> Again, we have to submit this as a bug.TLS 1.2 is not >> working in Tomcat > > Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk > (essentially 1.2.29 > > tcnative$ make clean tcnative$ ./configure --with-apr=`which > apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ > time make [...] make[1]: Leaving directory > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > real 0m14.790s user 0m15.300s sys 0m1.840s > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > tcnative$ cd $CATALINA_BASE > > tomcat$ cat conf/server.xml > > [...] protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="all" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] > > tomcat$ bin/startup.sh > > [...] Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR > based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. > Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener init INFO: APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], > random [true]. Jan 04, 2014 3:17:26 PM > org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: > OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > [...] > > tomcat$ openssl s_client -connect myhost:8218 [...] verify > error:num=19:self signed certificate in certificate chain [...] > SSL-Session: Protocol : TLSv1.2 Cipher: > DHE-RSA-AES256-GCM-SHA384 [...] > > *disconnect* > > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > > Looks like TLS1.2 works just fine in the default configuration > (SSLProtocol="all" is the default). > > Let's try your configuration. I'm only going to change SSLProtocol > from "all" to "TLSv1": > > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> > > * Restart Tomcat* > > tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: > Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] > > Trying again with Firefox 26 give me > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > > Let's try restricting to only your cipher. Let's make sure that my > OpenSSL version supports it, first: > > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA > Enc=AES(128) Mac=SHA256 > > > Yup. Let's configure it in Tomcat: > > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" secure="true" scheme="https" > SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" > SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > executor="tomcatThreadPool" URIEncoding="UTF-8" /> > > > $ openssl s_client -connect myhost:8218 CONNECTED(0003) > 139718306563752:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:741: > > $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > alert handshake failure:s3_pkt.c:1256:SSL alert number 40 > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > handshake failure:s3_pkt.c:596: > > $ openssl s_client -tls1_1 -connect myhost:8218 > CONNECTED(0003) 140680041133736:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > $ openssl s_client -tls1_2 -connect myhost:8218 > CONNECTED(0003) 139976873068200:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > Firefox also fails with "ssl_error_no_cypher_overlap". > > $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / > __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | > |___/___/_|___/\___\__,_|_| |_| > > Version 1.8.2 http://www.titania.co.uk Copyright Ian > Ventura-Whiting 2009 > > Testing SSL server myhost on port 8218 > > Supported Server Cipher(s): FailedSSLv3 256 bits > ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits > ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits > ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits > ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits > ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits > SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits > SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits > DHE-DSS-AES256-GCM-SHA384 FailedSSLv3 256 bit
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > Again, we have to submit this as a bug.TLS 1.2 is not working > in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` - --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys 0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol="all" is the default). Let's try your configuration. I'm only going to change SSLProtocol from "all" to "TLSv1": * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with "ssl_error_no_cypher_overlap". $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-SHA256 FailedSSLv3 256 bits DHE-DSS-AES256-SHA256 Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA Rejected SSLv3 256 bits AECDH-AES256-SHA Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA FailedSSLv3 256 bits ADH-AES256-GCM-SHA384 FailedSSLv3 256 bits ADH-AES256-SHA256 Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA FailedSSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDH-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDH-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 1/3/14, 12:32 PM, Caldarale, Charles R wrote: >> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: >> TLS is not working in 6.0.37, 7.0.42, 7.0.47 > >> > protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="200" clientAuth="false" >> *SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"* > > Why are there asterisks on that config line? Remove them if > they're actually present. Don't try to get cute with formatting > tricks like bolding text, since this is a plaintext mailing list. > >> Jan 03, 2014 5:09:49 PM >> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: >> OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) > > You need to update the OpenSSL version to 1.0.1e, which contains > fixes for TLS 1.1 and 1.2 negotiation. Once that's installed (and > tcnative rebuilt), verify that the desired cipher is available with > the "openssl ciphers" command. > > You also need to confirm that your client is capable of TLSv1.2 > using the above cipher. As stated before, getting a Wireshark or > tcpdump trace of the negotiation would show what the client > allows. +1 You might want to look at sslscan, or use https://www.ssllabs.com/ssltest/index.html to test your server. It can tell you what ciphers are supported, etc. even if your client is misbehaving. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSyGbmAAoJEBzwKT+lPKRYKg0P/RuZTz7GvueQubDpJHKddZS4 XTYvhSsW9SV2XvXMztBZWWB0NS0D9sRS98d5cdCndbY5LDfzvKLZZwHokR8XKP0N JmVSvavkcpF3Sro6bayJrcholFhG7pZbsYmRULZKZREwKASzEoOAPcye4HyyjavD VTUDqitJWLpCXjyuoxNQWCV+OieHy9oOwbTDs6cZgfvJcS2uHOhwmTaZBwxadvJV E1JfxoXQghXlszDemY/ynbdCiX5NVqaeoNwzSYNshvusGdUoupr0/qQ2Zvd+hWt+ lPUxWZxftfRvLHmASDQPniAieCihDQLufnhFf0k82APlNaOgX+OTkqViOO5ceSin H0bVA607b/mlUdf9WWmkydpWZdwH8ikiXUkJcNn1kzATaFRnnxnq1ID+A7efKqS1 byAZ1/3Bm7kpTQgcoiJenbfHxgtxZwrksfODl9c+HM54R7y/eUNYLjouoX47d3pb CeYsYqhQmJtdYSF0Q2bRAlRBl9G8FBjXKhRAnDnkDc6V8FeYk2q/ege5ggrYYJUI EJjKxmZwOEz3MfX7T8fkYFHCQ0JF7+tSkKpDJDhWV/yXjCvMLJOE4eY1I15byuzC 6StssnHyusbflJTEg8D9qx4WcUgWYeRn/hyQmeU99+RwNhkP/hhPWH3LgA6gcz57 eKjZ56wJPsVmVVGerp2f =2O14 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:41 PM, Mudassir Aftab wrote: > Thanks for keep replying, is there any way to restrict the cipher > suite in the connector configuration? > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CB C -SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 Read > the documentation for . - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSyGYEAAoJEBzwKT+lPKRYG4oQAICufit/CN+CP7QRId3/VceB qkgPX6Ukl3CAsjjQVytXG60BpuHro/wN15e5qDtFigOlwb1ysPseKX8DwMuLeTqi xww4aF4nnKt0MauxdD0+hgL404+PbxcC5w6DnHCxMgKSPtYxBY7ocBFMijpKvpzW cudkLrCiJnu8RTtKBbZc2YX8Caw/oeNOFiMnj4YnUUkV6IGSEonbgp7gRrt6YzBr EVHTXDN4aA05gV+Z4dF1jBSTveTe33FRwehraCVgGAJoumVVzQWiP8NwYLYLfl0B /SRm6wSVoWbqQaAuKBZ/tcyN4UczjHficAsSNtViHaJ5JDD05sKWMurA+rGcicZc PBRqRlbjk1sttQlsjVZwbAfMBGRUuc3Kqaxr5jcO+Clr66zYtLcy8jUiQeHmUTX2 pB7o9T91a3XG613Pl/BiQlAvF2kUtxRC2+AdFsMNX0cnh+vUATCqQTnyHwunYC2M SDVL4yuSf0ffU2zBIamcTP49VzrCveriEG4Z0qTxkYR2IocylMK0hugtZXuWoQ2V 2D6fBf31oejaIYTqow9J9cEL6JsJPHDuAsImiLpLQdoNicICNc0cHPZBVfzH/iq0 SOKSzD+qeCjEfYHcLS57qmo/aThRwtIJRiYV4GEJM9iHmWzC8ugPV3Gq0GYOe71C sEbS52NxV4lJUN7rdGuk =ROfe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Here is my test with latest openssl and tomcat Tools: openssl: 1.0.1e apache-tomcat-7.0.47 apr-1.5.0. tomcat-native-1.1.29 Connector: Tomcat Logs: Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3580 ms Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start Verification Tests: root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(0003) 3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:754: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1388841094 Timeout : 7200 (sec) Verify return code: 0 (y) --- root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(0003) 3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:486: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers wrote: > On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: > >> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: >>> TLS is not working in 6.0.37, 7.0.42, 7.0.47 >>> >> >> Again, we have to submit this as a bug.TLS 1.2 is not working >>> in Tomcat >>> >> >> The only evidence you have provided is that your single chosen cipher >> is not implemented by the version of Firefox you're using - which has >> nothing to do with Tomcat. The TCP capture you provided is just text >> rather than a useful .pcap file, and no one's going to waste their >> time digging through raw bits when any decent protocol analyzer would >> do the job automatically. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >> PROPRIETARY MATERIAL and is thus for use only by the intended >> recipient. If you received this in error, please contact the sender >> and delete the e-mail and its attachments from all computers. >> > > It's been years (more than I care t
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. It's been years (more than I care to count) since I've read raw packet data, but at first glance I do not see the browser (172.16.50.10) initiating a TLSv1.2 Client Hello. I'm looking at the following line: 0030 c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05 .9.8 I expect to see something like: 16 03 01 starting at octet 36. Instead, I see: 00 87 00 I don't know if that's because the information is encrypted, or what. However, it doesn't look like what I see when I aim Firefox 26.0 at an HTTPS site. I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from your browser. If it's not coming from your browser, then something else is wrong. Are you addressing example.com with https://example.com:8443/ in your browser? As has been pointed out, this is an all-volunteer list (taking a break from writing an RFP here). Making it difficult to answer questions (incorrect, incomplete, or difficult to parse information) will not encourage volunteers to step forth. . . . . Friday night RFP response writing /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat I wouldn't be too sure of that. It might be that Firefox doesn't implement your chosen cipher. On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" wrote: > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > Did you get wireshark filtered output ? > > Everybody on this list is a volunteer, with their own real jobs to take > care of. If you want immediate attention, you bloody well need to pay for > it. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Did you get wireshark filtered output ? Mudassir On Sat, Jan 4, 2014 at 2:50 AM, Mudassir Aftab wrote: > Please find attached wireshark file. > > > On Sat, Jan 4, 2014 at 1:59 AM, Caldarale, Charles R < > chuck.caldar...@unisys.com> wrote: > >> > From: Mudassir Aftab [mailto:withmudas...@gmail.com] >> > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 >> >> > Also attached TCP dump logs >> >> Actually, you only attached the TCP headers, not the full capture. The >> headers can't tell us anything. >> >> > I am again getting following error on FF26 with TLS 1.2 support >> > Cannot communicate securely with peer: no common encryption >> algorithm(s). >> > (Error code: ssl_error_no_cypher_overlap) >> >> Which would again indicate that the client (FF26) does not implement your >> chosen cipher. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail and >> its attachments from all computers. >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Also attached TCP dump logs Actually, you only attached the TCP headers, not the full capture. The headers can't tell us anything. > I am again getting following error on FF26 with TLS 1.2 support > Cannot communicate securely with peer: no common encryption algorithm(s). > (Error code: ssl_error_no_cypher_overlap) Which would again indicate that the client (FF26) does not implement your chosen cipher. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi , I have compiled tomcat-native-1.1.29-src.tar.gz with 1.0.1e-3ubuntu1 and test it with fresh apache-tomcat-7.0.47.tar.gz. and with following connector settings Tomcat Logs: Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3189 ms Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 8:25:55 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [19,247] milliseconds. Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 8:25:56 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 03, 2014 8:25:58 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] Also attached TCP dump logs , I am again getting following error on FF26 with TLS 1.2 support Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) 20:36:23.496965 IP 10.10.0.147.18938 > example.com.8443: Flags [S], seq 435979095, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:23.497066 IP example.com.8443 > 10.10.0.147.18938: Flags [S.], seq 1576579154, ack 435979096, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:23.739969 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 1, win 4098, length 0 20:36:24.023396 IP 10.10.0.147.18938 > example.com.8443: Flags [P.], seq 1:202, ack 1, win 4098, length 201 20:36:24.023471 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 202, win 237, length 0 20:36:24.023964 IP example.com.8443 > 10.10.0.147.18938: Flags [P.], seq 1:8, ack 202, win 237, length 7 20:36:24.024187 IP example.com.8443 > 10.10.0.147.18938: Flags [F.], seq 8, ack 202, win 237, length 0 20:36:24.713659 IP 10.10.0.147.18938 > example.com.8443: Flags [F.], seq 202, ack 8, win 4096, length 0 20:36:24.713726 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 203, win 237, length 0 20:36:24.956342 IP 10.10.0.147.18939 > example.com.8443: Flags [S], seq 3315815756, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:24.956402 IP example.com.8443 > 10.10.0.147.18939: Flags [S.], seq 3575233717, ack 3315815757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:24.956415 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 9, win 4096, length 0 20:36:25.225229 IP 10.10.0.147.18940 > example.com.8443: Flags [S], seq 821209259, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:25.225278 IP example.com.8443 > 10.10.0.147.18940: Flags [S.], seq 2980117984, ack 821209260, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:25.468393 IP 10.10.0.147.18939 > example.com.8443: Flags [.], ack 1, win 4098, length 0 20:36:25.468436 IP 10.10.0.147.18939 > example.com.8443: Flags [P.], seq 1:180, ack 1, win 4098, length 179 20:36:25.468481 IP example.com.8443 > 10.10.0.147.18939: Flags [.], ack 180, win 237, length 0 20:36:25.469227 IP example.com.8443 > 10.10.0.147.18939: Flags [P.],
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I am getting following error while compiling tomcat-native-1.1.29-src with 1.0.1e-3ubuntu1, shell i ignore this ? src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_make': src/sslcontext.c:77:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_client_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:79:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_server_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:81:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Sanaullah [mailto:sanaulla...@gmail.com] > Subject: Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > The Document which you were referring > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, > is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol > Attribute. TLSv1.1 and TLSv1.2 are included in TLSv1, when using the appropriate ciphers. > TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and > TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. > http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites That's backwards; TLSv1.1 and TLSv1.2 are used automatically if TLSv1 is enabled and the client and server support v1.1 or v1.2 ciphers. > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 Those all appear to be supported in OpenSSL 1.0.1e. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I just bold it from GMAIL :)
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="200" >clientAuth="false" >*SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"* Why are there asterisks on that config line? Remove them if they're actually present. Don't try to get cute with formatting tricks like bolding text, since this is a plaintext mailing list. > Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 1.1 and 1.2 negotiation. Once that's installed (and tcnative rebuilt), verify that the desired cipher is available with the "openssl ciphers" command. You also need to confirm that your client is capable of TLSv1.2 using the above cipher. As stated before, getting a Wireshark or tcpdump trace of the negotiation would show what the client allows. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 12:14 PM, Mudassir Aftab wrote: *Connector Settings:* Do you really have the asterisks around this in your config? scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/home/mudassir/pay/p.pem" SSLCertificateKeyFile="/home/mudassir/p-key.pem" SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> *Tomcat Logs:* *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Does firefox support "ECDHE-ECDSA-AES128-SHA256"? I don't know... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
*Connector Settings:* *Tomcat Logs:* Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 5:09:50 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2757 ms Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 5:09:51 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 5:09:54 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 11:18 AM, Mudassir Aftab wrote: then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab Go back and read this thread carefully. There have been several errors pointed out to you which you haven't yet fixed. Fix them (proofreading carefully!), test it, and if it still doesn't work, post your full config. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: David kerber [mailto:dcker...@verizon.net] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > Sorry for asking u same thing again and again, i have tried many things > > from above document, but nothing works for me, also no errors in the log > > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > maxThreads="200" > > clientAuth="false" > > ciphers="ECDH-ECDSA-AES128-GCM-SHA256" > > scheme="https" secure="true" SSLEnabled="true" > > SSLCertificateFile="/home/mudassir/pay/p.pem" > > SSLCertificateKeyFile="/home/mudassir/p-key.pem" > > SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> > > > >SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" > If what you list here is what is really in your config file, you're not > proofreading your configuration entries very well. You have > SSLCipherSuite misspelled (two missing letters), and it's not inside the > connector configuration entry. Not to mention still having the ciphers attribute, which is not used with APR. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
also following setting is working for TLS v1 but not with TLS v1.2, so its a bug !!! On Fri, Jan 3, 2014 at 6:56 PM, Mudassir Aftab wrote: > HI, > > That was just typo error but on system it is fine and i am keep checking > logs, no warning in it > > also what about following post > > > I just also took interest to dig this issue. > > The Document which you were referring > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, > is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol > Attribute. > > SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, > TLSV1. > > TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and > TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl > link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites > > I am happy to see if someone enabled below ciphers without enabling the > TLSv1.2 > > TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 > > > > > On Fri, Jan 3, 2014 at 6:00 PM, David kerber wrote: > >> On 1/3/2014 3:28 AM, Mudassir Aftab wrote: >> >>> Hi, >>> >>> Sorry for asking u same thing again and again, i have tried many things >>> from above document, but nothing works for me, also no errors in the log >>> >>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> maxThreads="200" >>> clientAuth="false" >>> ciphers="ECDH-ECDSA-AES128-GCM-SHA256" >>> scheme="https" secure="true" SSLEnabled="true" >>> SSLCertificateFile="/home/mudassir/pay/p.pem" >>> SSLCertificateKeyFile="/home/mudassir/p-key.pem" >>> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> >>> >>>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" >>> >>> I really appreciate your help >>> >>> >> If what you list here is what is really in your config file, you're not >> proofreading your configuration entries very well. You have SSLCipherSuite >> misspelled (two missing letters), and it's not inside the connector >> configuration entry. >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
HI, That was just typo error but on system it is fine and i am keep checking logs, no warning in it also what about following post I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 On Fri, Jan 3, 2014 at 6:00 PM, David kerber wrote: > On 1/3/2014 3:28 AM, Mudassir Aftab wrote: > >> Hi, >> >> Sorry for asking u same thing again and again, i have tried many things >> from above document, but nothing works for me, also no errors in the log >> >> > protocol="org.apache.coyote.http11.Http11AprProtocol" >> maxThreads="200" >> clientAuth="false" >> ciphers="ECDH-ECDSA-AES128-GCM-SHA256" >> scheme="https" secure="true" SSLEnabled="true" >> SSLCertificateFile="/home/mudassir/pay/p.pem" >> SSLCertificateKeyFile="/home/mudassir/p-key.pem" >> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" /> >> >>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" >> >> I really appreciate your help >> >> > If what you list here is what is really in your config file, you're not > proofreading your configuration entries very well. You have SSLCipherSuite > misspelled (two missing letters), and it's not inside the connector > configuration entry. > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 3:28 AM, Mudassir Aftab wrote: Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" I really appreciate your help If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256" I really appreciate your help
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > Should i use following APR connector attribute ? >protocol="org.apache.coyote.http11.Http11AprProtocol" >maxThreads="200" >sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" >clientAuth="false" >ciphers="AES256-SHA256" >scheme="https" secure="true" SSLEnabled="true" >SSLCertificateFile="p.pem" >SSLCertificateKeyFile="key.pem" >SSLCACertificateFile="AdminCA1.pem" /> For the third time, the APR has no sslProtocol nor sslEnabledProtocols attributes; the proper ones for specifying the protocol and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively. For the last time, read the doc: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native (If you don't start paying attention to the responses you're getting, you will end up just being ignored.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Should i use following APR connector attribute ?
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
How can i specify AES256-SHA256 cipher in tomcat connector? or where should i specify this ? Regards, Mudassir Aftab
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Also how can i restrict cipher in the connector ?? Testing localhost:8443 ** TLSv1:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits ** ** TLSv1:ADH-AES128-SHA - ENABLED - WEAK 128 bits ** ** TLSv1:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits ** ** TLSv1:ADH-AES256-SHA - ENABLED - WEAK 256 bits ** ** TLSv1:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits ** ** TLSv1:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** TLSv1:ADH-RC4-MD5 - ENABLED - WEAK 128 bits ** ** SSLv3:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits ** ** SSLv3:ADH-AES128-SHA - ENABLED - WEAK 128 bits ** ** SSLv3:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits ** ** SSLv3:ADH-AES256-SHA - ENABLED - WEAK 256 bits ** ** SSLv3:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits ** ** SSLv3:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** SSLv3:ADH-RC4-MD5 - ENABLED - WEAK 128 bits ** On Fri, Jan 3, 2014 at 5:58 AM, Mudassir Aftab wrote: > How can i test this ? can i test this with Firefox 25 ? > > > Regards, > Mudassir Aftab > > > On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab wrote: > >> Thanks for keep replying, is there any way to restrict the cipher suite >> in the connector configuration? >> >> >> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 >> >> >> >> On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote: >> >>> I have just configured latest version , following is the log >>> >>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener >>> init >>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR >>> version 1.5.0. >>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener >>> init >>> >>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters >>> [false], random [true]. >>> Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener >>> initializeSSL >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) >>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >>> INFO: Initializing ProtocolHandler ["http-apr-8443"] >>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >>> INFO: Initializing ProtocolHandler ["http-apr-8080"] >>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >>> INFO: Initializing ProtocolHandler ["ajp-apr-8009"] >>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load >>> INFO: Initialization processed in 3145 ms >>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService >>> startInternal >>> INFO: Starting service Catalina >>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine >>> startInternal >>> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 >>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> INFO: Deploying web application directory >>> /opt/tomcat7/webapps/host-manager >>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> INFO: Deploying web application directory /opt/tomcat7/webapps/docs >>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> INFO: Deploying web application directory /opt/tomcat7/webapps/manager >>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >>> deployDirectory >>> INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT >>> Jan 03, 2014 12:34:05 AM org.apache.c
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Don't top post - it makes it really hard to follow the conversation. > is there any way to restrict the cipher suite in > the connector configuration? You were already told how: > > You can also set SSLCipherSuite to avoid enabling insecure encryption > > mechanisms (see > > http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
How can i test this ? can i test this with Firefox 25 ? Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab wrote: > Thanks for keep replying, is there any way to restrict the cipher suite > in the connector configuration? > > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 > > > > On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote: > >> I have just configured latest version , following is the log >> >> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener >> init >> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR >> version 1.5.0. >> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener >> init >> >> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters >> [false], random [true]. >> Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener >> initializeSSL >> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) >> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >> INFO: Initializing ProtocolHandler ["http-apr-8443"] >> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >> INFO: Initializing ProtocolHandler ["http-apr-8080"] >> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init >> INFO: Initializing ProtocolHandler ["ajp-apr-8009"] >> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load >> INFO: Initialization processed in 3145 ms >> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService >> startInternal >> INFO: Starting service Catalina >> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine >> startInternal >> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 >> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig >> deployDirectory >> INFO: Deploying web application directory >> /opt/tomcat7/webapps/host-manager >> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >> deployDirectory >> INFO: Deploying web application directory /opt/tomcat7/webapps/docs >> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >> deployDirectory >> INFO: Deploying web application directory /opt/tomcat7/webapps/manager >> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >> deployDirectory >> INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT >> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig >> deployDirectory >> INFO: Deploying web application directory /opt/tomcat7/webapps/examples >> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start >> INFO: Starting ProtocolHandler ["http-apr-8443"] >> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start >> INFO: Starting ProtocolHandler ["http-apr-8080"] >> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start >> INFO: Starting ProtocolHandler ["ajp-apr-8009"] >> Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start >> INFO: Server startup in 7422 ms >> >> >> >> On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA256 >>> >>> Mudassir, >>> >>> On 1/2/14, 7:21 PM, Mudassir Aftab wrote: >>> > >> > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" >>> >>> Setting sslProtocol and sslEnabledProtocols will not aff
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Thanks for keep replying, is there any way to restrict the cipher suite in the connector configuration? ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote: > I have just configured latest version , following is the log > > Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init > INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR > version 1.5.0. > Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init > > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > [false], random [true]. > Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener > initializeSSL > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) > Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-apr-8443"] > Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-apr-8080"] > Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["ajp-apr-8009"] > Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load > INFO: Initialization processed in 3145 ms > Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService > startInternal > INFO: Starting service Catalina > Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine > startInternal > INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 > Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager > Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /opt/tomcat7/webapps/docs > Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /opt/tomcat7/webapps/manager > Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT > Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig > deployDirectory > INFO: Deploying web application directory /opt/tomcat7/webapps/examples > Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-apr-8443"] > Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["http-apr-8080"] > Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start > INFO: Starting ProtocolHandler ["ajp-apr-8009"] > Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start > INFO: Server startup in 7422 ms > > > > On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Mudassir, >> >> On 1/2/14, 7:21 PM, Mudassir Aftab wrote: >> > > > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" >> >> Setting sslProtocol and sslEnabledProtocols will not affect an >> OpenSSL-based connector (which you have configured). As Chuck >> previously stated, you need to use different configuration attributes >> when using OpenSSL. Please read the documentation for the APR >> connector and t
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
I have just configured latest version , following is the log Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3145 ms Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 7422 ms On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mudassir, > > On 1/2/14, 7:21 PM, Mudassir Aftab wrote: > > > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" > > Setting sslProtocol and sslEnabledProtocols will not affect an > OpenSSL-based connector (which you have configured). As Chuck > previously stated, you need to use different configuration attributes > when using OpenSSL. Please read the documentation for the APR > connector and those configuration attributes that affect the SSL engine. > > You might want to tell us how you are trying to connect, too. Also, > run "openssl ciphers" on your system to see what ciphers are supported > by your OpenSSL, and compare those to the list supported by your > client. Perhaps you have a legitimate mismatch and TLS 1.2 itself > isn't the problem. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO > NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG > ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO > dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo > B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6 > dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP > tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6 > fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY > b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV > kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS > FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT > HzFL8i8XSzQPIOQTM47s > =xCfN > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:21 PM, Mudassir Aftab wrote: > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" Setting sslProtocol and sslEnabledProtocols will not affect an OpenSSL-based connector (which you have configured). As Chuck previously stated, you need to use different configuration attributes when using OpenSSL. Please read the documentation for the APR connector and those configuration attributes that affect the SSL engine. You might want to tell us how you are trying to connect, too. Also, run "openssl ciphers" on your system to see what ciphers are supported by your OpenSSL, and compare those to the list supported by your client. Perhaps you have a legitimate mismatch and TLS 1.2 itself isn't the problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6 dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6 fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT HzFL8i8XSzQPIOQTM47s =xCfN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
I have also tried to apply following patch in tomcat native but it did not helped. https://issues.apache.org/bugzilla/attachment.cgi?id=30150 tomcat-native-1.1.29-src.tar.gz On Fri, Jan 3, 2014 at 5:21 AM, Mudassir Aftab wrote: > Hi , > > Thanks for reply, > > I am using following environment > > Description:Ubuntu 12.04.3 LTS > javac 1.7.0_45 > apache-tomcat-7.0.42.tar.gz > apr-1.5.0.tar.gz > tomcat-native-1.1.29-src.tar.gz > openssl 1.0.1-4ubuntu5.10 > > and this how i am configuring Tomcat Native > > ./configure --with-apr=/usr/local/apr/bin/apr-1-config > --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME > > export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/tomcat7/lib" > > Server.xml: > >maxThreads="200" > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" >clientAuth="false" > >scheme="https" secure="true" SSLEnabled="true" >SSLCertificateFile="/home/mudassir/cert.pem" >SSLCertificateKeyFile="/home/mudassir/cert-key.pem" >SSLCACertificateFile="/home/mudassir/CA.pem" /> > > Regards, > Mudassir Aftab > > > > On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R < > chuck.caldar...@unisys.com> wrote: > >> > From: Mudassir Aftab [mailto:withmudas...@gmail.com] >> > Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 >> >> > I need TLSv1.2 support for tomcat >> >> That's available by default with current OpenSSL versions. >> >> > Also what will be the preferable connector settings ? >> >> Whatever you need them to be. The values depend entirely on your >> applications and environment. >> >> > I am using following connector in Apache Tomcat/7.0.42 >> > > . . . >> >sslEnabledProtocols="TLSv1.2" >> >> The above attribute is for the BIO and NIO connectors, not the APR one >> you are using. You should instead specify: >>SSLProtocol="TLSv1" >> if you want to eliminate SSLv3 (but your client might not like that). >> You can also set SSLCipherSuite to avoid enabling insecure encryption >> mechanisms (see >> http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). >> >> > An error occurred during a connection to confidential.com:8443. Cannot >> > communicate securely with peer: no common encryption algorithm(s). >> >> This means the client you're using and your build of OpenSSL have nothing >> in common. Use Wireshark or tcpdump and determine just which protocols >> your client is attempting to negotiate with, and insure that those are >> enabled in your build of OpenSSL. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail and >> its attachments from all computers. >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi , Thanks for reply, I am using following environment Description:Ubuntu 12.04.3 LTS javac 1.7.0_45 apache-tomcat-7.0.42.tar.gz apr-1.5.0.tar.gz tomcat-native-1.1.29-src.tar.gz openssl 1.0.1-4ubuntu5.10 and this how i am configuring Tomcat Native ./configure --with-apr=/usr/local/apr/bin/apr-1-config --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/tomcat7/lib" Server.xml: Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > I need TLSv1.2 support for tomcat > > That's available by default with current OpenSSL versions. > > > Also what will be the preferable connector settings ? > > Whatever you need them to be. The values depend entirely on your > applications and environment. > > > I am using following connector in Apache Tomcat/7.0.42 > > . . . > >sslEnabledProtocols="TLSv1.2" > > The above attribute is for the BIO and NIO connectors, not the APR one you > are using. You should instead specify: >SSLProtocol="TLSv1" > if you want to eliminate SSLv3 (but your client might not like that). You > can also set SSLCipherSuite to avoid enabling insecure encryption > mechanisms (see > http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). > > > An error occurred during a connection to confidential.com:8443. Cannot > > communicate securely with peer: no common encryption algorithm(s). > > This means the client you're using and your build of OpenSSL have nothing > in common. Use Wireshark or tcpdump and determine just which protocols > your client is attempting to negotiate with, and insure that those are > enabled in your build of OpenSSL. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
> From: Mudassir Aftab [mailto:withmudas...@gmail.com] > Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > I need TLSv1.2 support for tomcat That's available by default with current OpenSSL versions. > Also what will be the preferable connector settings ? Whatever you need them to be. The values depend entirely on your applications and environment. > I am using following connector in Apache Tomcat/7.0.42 > sslEnabledProtocols="TLSv1.2" The above attribute is for the BIO and NIO connectors, not the APR one you are using. You should instead specify: SSLProtocol="TLSv1" if you want to eliminate SSLv3 (but your client might not like that). You can also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). > An error occurred during a connection to confidential.com:8443. Cannot > communicate securely with peer: no common encryption algorithm(s). This means the client you're using and your build of OpenSSL have nothing in common. Use Wireshark or tcpdump and determine just which protocols your client is attempting to negotiate with, and insure that those are enabled in your build of OpenSSL. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org