Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Sanaullah]

most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in
tomcat 7.0.47 or just trying them-self to look over smart.

Hi Mudassir,

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(0003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDH-ECDSA-AES256-GCM-SHA384
Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
Session-ID-ctx:
Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...V..IQ
0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.;>m.
0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
..T#.9-Z..^!
0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*
0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ..



How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run "ant" in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.

Regards,
San








On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian wrote:

> On 1/4/2014 3:08 PM, Christopher Schultz wrote:
> > Musassir,
> >
> > On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> > > Again, we have to submit this as a bug.TLS 1.2 is not working
> > > in Tomcat
> >
> > Tomcat 7.0.74
> > Oracle Java 1.7.0_45
> > tcnative 1.1.29 trunk (essentially 1.2.29
> >
> > tcnative$ make clean
> > tcnative$ ./configure --with-apr=`which apr-config`
> > --with-java-home=/usr/local/java-7 --with-ssl
> > tcnative$ time make
> > [...]
> > make[1]: Leaving directory
> > `/home/cschultz/projects/tomcat-native-1.1.x/native'
> >
> > real0m14.790s
> > user0m15.300s
> > sys0m1.840s
> >
> > tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> >
> > tcnative$ cd $CATALINA_BA

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Terence M. Bandoian]

On 1/4/2014 3:08 PM, Christopher Schultz wrote:
> Musassir,
>
> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> > Again, we have to submit this as a bug.TLS 1.2 is not working
> > in Tomcat
>
> Tomcat 7.0.74
> Oracle Java 1.7.0_45
> tcnative 1.1.29 trunk (essentially 1.2.29
>
> tcnative$ make clean
> tcnative$ ./configure --with-apr=`which apr-config`
> --with-java-home=/usr/local/java-7 --with-ssl
> tcnative$ time make
> [...]
> make[1]: Leaving directory
> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>
> real0m14.790s
> user0m15.300s
> sys0m1.840s
>
> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>
> tcnative$ cd $CATALINA_BASE
>
> tomcat$ cat conf/server.xml
>
> [...]
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="all"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
> [...]
>
> tomcat$ bin/startup.sh
>
> [...]
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
> version 1.4.6.
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> [...]
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> verify error:num=19:self signed certificate in certificate chain
> [...]
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: DHE-RSA-AES256-GCM-SHA384
> [...]
>
> *disconnect*
>
> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
>
> Looks like TLS1.2 works just fine in the default configuration
> (SSLProtocol="all" is the default).
>
> Let's try your configuration. I'm only going to change SSLProtocol
> from "all" to "TLSv1":
>
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="TLSv1"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
>
> * Restart Tomcat*
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> SSL-Session:
> Protocol  : TLSv1
> Cipher: DHE-RSA-AES256-SHA
> [...]
>
> Trying again with Firefox 26 give me
> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
>
> Let's try restricting to only your cipher. Let's make sure that my
> OpenSSL version supports it, first:
>
> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
> Mac=SHA256
>
>
> Yup. Let's configure it in Tomcat:
>
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="TLSv1"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
>
>
> $ openssl s_client -connect myhost:8218
> CONNECTED(0003)
> 139718306563752:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:741:
>
> $ openssl s_client -tls1 -connect myhost:8218
> CONNECTED(0003)
> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure:s3_pkt.c:1256:SSL alert number 40
> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:596:
>
> $ openssl s_client -tls1_1 -connect myhost:8218
> CONNECTED(0003)
> 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> $ openssl s_client -tls1_2 -connect myhost:8218
> CONNECTED(0003)
> 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> Firefox also fails with "ssl_error_no_cypher_overlap".
>
> $ $ sslscan myhost:8218
>_
>___ ___| |___  ___ __ _ _ __
>   / __/ __| / __|/ __/ _` | '_ \
>   \__ \__ \ \__ \ (_| (_| | | | |
>   |___/___/_|___/\___\__,_|_| |_|
>
>   Version 1.8.2
>  http://www.titania.co.uk
> Copyright Ian Ventura-Whiting 2009
>
> Testing SSL 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Terence M. Bandoian]

On 1/4/2014 3:08 PM, Christopher Schultz wrote:
> Musassir,
>
> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> > Again, we have to submit this as a bug.TLS 1.2 is not working
> > in Tomcat
>
> Tomcat 7.0.74
> Oracle Java 1.7.0_45
> tcnative 1.1.29 trunk (essentially 1.2.29
>
> tcnative$ make clean
> tcnative$ ./configure --with-apr=`which apr-config`
> --with-java-home=/usr/local/java-7 --with-ssl
> tcnative$ time make
> [...]
> make[1]: Leaving directory
> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>
> real0m14.790s
> user0m15.300s
> sys0m1.840s
>
> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>
> tcnative$ cd $CATALINA_BASE
>
> tomcat$ cat conf/server.xml
>
> [...]
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="all"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
> [...]
>
> tomcat$ bin/startup.sh
>
> [...]
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
> version 1.4.6.
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].
> Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
> [...]
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> verify error:num=19:self signed certificate in certificate chain
> [...]
> SSL-Session:
> Protocol  : TLSv1.2
> Cipher: DHE-RSA-AES256-GCM-SHA384
> [...]
>
> *disconnect*
>
> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
>
> Looks like TLS1.2 works just fine in the default configuration
> (SSLProtocol="all" is the default).
>
> Let's try your configuration. I'm only going to change SSLProtocol
> from "all" to "TLSv1":
>
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="TLSv1"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
>
> * Restart Tomcat*
>
> tomcat$ openssl s_client -connect myhost:8218
> [...]
> SSL-Session:
> Protocol  : TLSv1
> Cipher: DHE-RSA-AES256-SHA
> [...]
>
> Trying again with Firefox 26 give me
> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
>
> Let's try restricting to only your cipher. Let's make sure that my
> OpenSSL version supports it, first:
>
> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
> Mac=SHA256
>
>
> Yup. Let's configure it in Tomcat:
>
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>SSLEnabled="true"
>secure="true"
>scheme="https"
>SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
>SSLCertificateKeyFile="[...]"
>SSLCertificateFile="[...]"
>SSLCertificateChainFile="[...]"
>SSLProtocol="TLSv1"
>executor="tomcatThreadPool"
>URIEncoding="UTF-8" />
>
>
> $ openssl s_client -connect myhost:8218
> CONNECTED(0003)
> 139718306563752:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:741:
>
> $ openssl s_client -tls1 -connect myhost:8218
> CONNECTED(0003)
> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
> alert handshake failure:s3_pkt.c:1256:SSL alert number 40
> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:596:
>
> $ openssl s_client -tls1_1 -connect myhost:8218
> CONNECTED(0003)
> 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> $ openssl s_client -tls1_2 -connect myhost:8218
> CONNECTED(0003)
> 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> version number:s3_pkt.c:337:
>
> Firefox also fails with "ssl_error_no_cypher_overlap".
>
> $ $ sslscan myhost:8218
>_
>___ ___| |___  ___ __ _ _ __
>   / __/ __| / __|/ __/ _` | '_ \
>   \__ \__ \ \__ \ (_| (_| | | | |
>   |___/___/_|___/\___\__,_|_| |_|
>
>   Version 1.8.2
>  http://www.titania.co.uk
> Copyright Ian Ventura-Whiting 2009
>
> Testing SSL 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Sanaullah]

there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel
Šebek. may be that need to apply
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1



On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah  wrote:

> you can create the ECC self singed certificates using the below two
> commands of Openssl
>
> openssl ecparam -out sinful.key -name prime256v1 -genkey
> openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
> -days 3650
>
> root@ubuntu:/# openssl s_client -connect localhost:8443
> CONNECTED(0003)
> Server certificate
> -BEGIN CERTIFICATE-
> MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
> TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
> YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
> MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
> VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
> hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
> +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
> FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
> JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
> X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
> EmVg3uQq9XxPfiI=
> -END CERTIFICATE-
>
> ---
> SSL handshake has read 836 bytes and written 453 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
> Server public key is 256 bit
> Secure Renegotiation IS supported
>
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1
> Cipher: ECDH-ECDSA-AES256-SHA
> Session-ID:
> 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
> Session-ID-ctx:
> Master-Key:
> 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1
>
> Key-Arg   : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 7200 (seconds)
> TLS session ticket:
>  - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
> 9._1x.f}G{..
> 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
> ...%.7s.P..>
> 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
> .Qb..m.6
> 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
> q^.4..[.
> 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
> \?m...;..6.?..U.
> 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
> H7s.u"..(...|..6
> 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
> D13nQ.O^
> 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
> ..{.i..w.:.j..0|
> 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
> ...?..a.-XK.
> 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
> IL"mV.U..'z?
> 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
> ...Nw.."...h
>
> Start Time: 1388891510
> Timeout   : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
>
>
> I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers
>
> Here is my config
> tomcat 7.0.47
> libapr 1.5.0-1
> tcnative 1.1.29-1
>
> SSLEnabled="true"
>maxThreads="150" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
>SSLProtocol="all"
>SSLCertificateFile="/home/san/sinful.pem"
>SSLCertificateKeyFile="/home/san/sinful.key" />
>
>
>
>
> On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Mark,
>>
>> On 1/4/14, 6:37 PM, Mark Eggers wrote:
>> > On 1/4/2014 1:18 PM, Christopher Schultz wrote:
>> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> >>
>> >> Musassir,
>> >>
>> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote:
>> >>> Musassir,
>> >>>
>> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
>>  Again, we have to submit this as a bug.TLS 1.2 is not
>>  working in Tomcat
>> >>>
>> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
>> >>> (essentially 1.2.29
>> >>>
>> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which
>> >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl
>> >>> tcnative$ time make [...] make[1]: Leaving directory
>> >>> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>> >>>
>> >>> real0m14.790s user0m15.300s sys0m1.840s
>> >>>
>> >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>> >>>
>> >>> tcnative$ cd $CATALINA_BASE
>> >>>
>> >>> tomcat$ cat conf/server.xml
>> >>>
>> >>> [...] > >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>> >>> SSLEnabled="true" secure="true" scheme="https"
>> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
>> >>> SSLCertificateChainFile="[...]" SSLProtocol="all"
>> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
>> >>>
>> >>> tomcat$ bin/startup.sh
>> >>>
>> >>> 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Sanaullah]

you can create the ECC self singed certificates using the below two
commands of Openssl

openssl ecparam -out sinful.key -name prime256v1 -genkey
openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
-days 3650

root@ubuntu:/# openssl s_client -connect localhost:8443
CONNECTED(0003)
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-

---
SSL handshake has read 836 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: ECDH-ECDSA-AES256-SHA
Session-ID:
0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
Session-ID-ctx:
Master-Key:
7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
 - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
9._1x.f}G{..
0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
...%.7s.P..>
0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
.Qb..m.6
0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
q^.4..[.
0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
\?m...;..6.?..U.
0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
H7s.u"..(...|..6
0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
D13nQ.O^
0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
..{.i..w.:.j..0|
0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
...?..a.-XK.
0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
IL"mV.U..'z?
00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
...Nw.."...h

Start Time: 1388891510
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---


I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

Here is my config
tomcat 7.0.47
libapr 1.5.0-1
tcnative 1.1.29-1






On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 1/4/14, 6:37 PM, Mark Eggers wrote:
> > On 1/4/2014 1:18 PM, Christopher Schultz wrote:
> >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
> >>
> >> Musassir,
> >>
> >> On 1/4/14, 4:08 PM, Christopher Schultz wrote:
> >>> Musassir,
> >>>
> >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
>  Again, we have to submit this as a bug.TLS 1.2 is not
>  working in Tomcat
> >>>
> >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
> >>> (essentially 1.2.29
> >>>
> >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which
> >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl
> >>> tcnative$ time make [...] make[1]: Leaving directory
> >>> `/home/cschultz/projects/tomcat-native-1.1.x/native'
> >>>
> >>> real0m14.790s user0m15.300s sys0m1.840s
> >>>
> >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> >>>
> >>> tcnative$ cd $CATALINA_BASE
> >>>
> >>> tomcat$ cat conf/server.xml
> >>>
> >>> [...]  >>> protocol="org.apache.coyote.http11.Http11AprProtocol"
> >>> SSLEnabled="true" secure="true" scheme="https"
> >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]"
> >>> SSLCertificateChainFile="[...]" SSLProtocol="all"
> >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
> >>>
> >>> tomcat$ bin/startup.sh
> >>>
> >>> [...] Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
> >>> APR based Apache Tomcat Native library 1.1.30 using APR version
> >>> 1.4.6. Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> >>> capabilities: IPv6 [true], sendfile [true], accept filters
> >>> [false], random [true]. Jan 04, 2014 3:17:26 PM
> >>> org.apache.catalina.core.AprLifecycleListener initializeSSL
> >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
> >>> 2013) [...]
> >>>
> >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify
> >>> error:num=19:self signed certificate in certificate chain
> >>> [...] SSL-Session: Protocol  : TLSv1.2 Cipher:
> >>> D

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 1/4/14, 6:37 PM, Mark Eggers wrote:
> On 1/4/2014 1:18 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Musassir,
>> 
>> On 1/4/14, 4:08 PM, Christopher Schultz wrote:
>>> Musassir,
>>> 
>>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
 Again, we have to submit this as a bug.TLS 1.2 is not 
 working in Tomcat
>>> 
>>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk 
>>> (essentially 1.2.29
>>> 
>>> tcnative$ make clean tcnative$ ./configure --with-apr=`which 
>>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl
>>> tcnative$ time make [...] make[1]: Leaving directory 
>>> `/home/cschultz/projects/tomcat-native-1.1.x/native'
>>> 
>>> real0m14.790s user0m15.300s sys0m1.840s
>>> 
>>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
>>> 
>>> tcnative$ cd $CATALINA_BASE
>>> 
>>> tomcat$ cat conf/server.xml
>>> 
>>> [...] >> protocol="org.apache.coyote.http11.Http11AprProtocol" 
>>> SSLEnabled="true" secure="true" scheme="https" 
>>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
>>> SSLCertificateChainFile="[...]" SSLProtocol="all" 
>>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
>>> 
>>> tomcat$ bin/startup.sh
>>> 
>>> [...] Jan 04, 2014 3:17:26 PM 
>>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
>>> APR based Apache Tomcat Native library 1.1.30 using APR version
>>> 1.4.6. Jan 04, 2014 3:17:26 PM 
>>> org.apache.catalina.core.AprLifecycleListener init INFO: APR 
>>> capabilities: IPv6 [true], sendfile [true], accept filters
>>> [false], random [true]. Jan 04, 2014 3:17:26 PM 
>>> org.apache.catalina.core.AprLifecycleListener initializeSSL
>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
>>> 2013) [...]
>>> 
>>> tomcat$ openssl s_client -connect myhost:8218 [...] verify 
>>> error:num=19:self signed certificate in certificate chain
>>> [...] SSL-Session: Protocol  : TLSv1.2 Cipher: 
>>> DHE-RSA-AES256-GCM-SHA384 [...]
>>> 
>>> *disconnect*
>>> 
>>> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can
>>> connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
>>> 
>>> Looks like TLS1.2 works just fine in the default configuration 
>>> (SSLProtocol="all" is the default).
>>> 
>>> Let's try your configuration. I'm only going to change
>>> SSLProtocol from "all" to "TLSv1":
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" 
>>> SSLEnabled="true" secure="true" scheme="https" 
>>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
>>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
>>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
>>> 
>>> * Restart Tomcat*
>>> 
>>> tomcat$ openssl s_client -connect myhost:8218 [...]
>>> SSL-Session: Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA
>>> [...]
>>> 
>>> Trying again with Firefox 26 give me 
>>> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
>>> 
>>> Let's try restricting to only your cipher. Let's make sure that
>>> my OpenSSL version supports it, first:
>>> 
>>> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 
>>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA 
>>> Enc=AES(128) Mac=SHA256
>>> 
>>> 
>>> Yup. Let's configure it in Tomcat:
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11AprProtocol" 
>>> SSLEnabled="true" secure="true" scheme="https" 
>>> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" 
>>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
>>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
>>> executor="tomcatThreadPool" URIEncoding="UTF-8" />
>>> 
>>> 
>>> $ openssl s_client -connect myhost:8218 CONNECTED(0003) 
>>> 139718306563752:error:14077410:SSL 
>>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
>>> failure:s23_clnt.c:741:
>>> 
>>> $ openssl s_client -tls1 -connect myhost:8218
>>> CONNECTED(0003) 139965071759016:error:14094410:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert handshake
>>> failure:s3_pkt.c:1256:SSL alert number 40 
>>> 139965071759016:error:1409E0E5:SSL
>>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
>>> 
>>> $ openssl s_client -tls1_1 -connect myhost:8218 
>>> CONNECTED(0003) 140680041133736:error:1408F10B:SSL 
>>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
>>> 
>>> $ openssl s_client -tls1_2 -connect myhost:8218 
>>> CONNECTED(0003) 139976873068200:error:1408F10B:SSL 
>>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
>>> 
>>> Firefox also fails with "ssl_error_no_cypher_overlap".
>>> 
>>> $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/
>>> __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | 
>>> |___/___/_|___/\___\__,_|_| |_|
>>> 
>>> Version 1.8.2 http://www.titania.co.uk Copyright Ian 
>>> Ventura-Whiting 2009
>>> 
>>> Testing SSL server myhost on port 8218
>>> 
>>> Supported Server Cipher(s): FailedSSLv3  256 bits 
>>> ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mark Eggers]

On 1/4/2014 1:18 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/4/14, 4:08 PM, Christopher Schultz wrote:

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:

Again, we have to submit this as a bug.TLS 1.2 is not
working in Tomcat


Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
(essentially 1.2.29

tcnative$ make clean tcnative$ ./configure --with-apr=`which
apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
time make [...] make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real0m14.790s user  0m15.300s sys   0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...]  [...]

tomcat$ bin/startup.sh

[...] Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
based Apache Tomcat Native library 1.1.30 using APR version 1.4.6.
Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218 [...] verify
error:num=19:self signed certificate in certificate chain [...]
SSL-Session: Protocol  : TLSv1.2 Cipher:
DHE-RSA-AES256-GCM-SHA384 [...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol="all" is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from "all" to "TLSv1":



* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session:
Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA [...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AES(128) Mac=SHA256


Yup. Let's configure it in Tomcat:




$ openssl s_client -connect myhost:8218 CONNECTED(0003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(0003) 140680041133736:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(0003) 139976873068200:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Firefox also fails with "ssl_error_no_cypher_overlap".

$ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
__|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2 http://www.titania.co.uk Copyright Ian
Ventura-Whiting 2009

Testing SSL server myhost on port 8218

Supported Server Cipher(s): FailedSSLv3  256 bits
ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
ECDHE-RSA-AES256-SHA384 FailedSSLv3  256 bits
ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
SRP-RSA-AES-256-CBC-SHA FailedSSLv3  256 bits
DHE-DSS-AES256-GCM-SHA384 FailedSSLv3  256 bits
DHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
DHE-RSA-AES256-SHA256 FailedSSLv3  256 bits
DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA Rejected  SSLv3
256 bits  DHE-DSS-CAMELLIA256-SHA Rejected  SSLv3  256 bits
AECDH-AES256-SHA Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
FailedSSLv3  256 bits  ADH-AES256-GCM-SHA384 FailedSSLv3
256 bits  ADH-AES256-SHA256 Rejected  SSLv3  256 bits
ADH-AES256-SHA Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
FailedSSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384 Failed
SSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256
bits  ECDH-RSA-AES256-SHA384 FailedSSLv3  256 bits
ECDH-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
ECDH-RSA-AES256-SHA Rejected  SSLv3  256 bits
ECDH-ECDSA-AES256-SHA FailedSSLv3  256 bits  AES256-GCM-SHA384
FailedSSLv3  256 bits  AES256-SHA256 Rejected  SSLv3  256 bits
AES256-SHA Rejected  SSLv3  256 bits  CAMELLIA256-SHA Failed
S

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/4/14, 4:08 PM, Christopher Schultz wrote:
> Musassir,
> 
> On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
>> Again, we have to submit this as a bug.TLS 1.2 is not
>> working in Tomcat
> 
> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
> (essentially 1.2.29
> 
> tcnative$ make clean tcnative$ ./configure --with-apr=`which
> apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
> time make [...] make[1]: Leaving directory 
> `/home/cschultz/projects/tomcat-native-1.1.x/native'
> 
> real  0m14.790s user  0m15.300s sys   0m1.840s
> 
> tcnative$ cp -d .libs/* $CATALINA_HOME/bin
> 
> tcnative$ cd $CATALINA_BASE
> 
> tomcat$ cat conf/server.xml
> 
> [...]  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="all" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...]
> 
> tomcat$ bin/startup.sh
> 
> [...] Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
> based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. 
> Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener init INFO: APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false],
> random [true]. Jan 04, 2014 3:17:26 PM
> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
> OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) 
> [...]
> 
> tomcat$ openssl s_client -connect myhost:8218 [...] verify
> error:num=19:self signed certificate in certificate chain [...] 
> SSL-Session: Protocol  : TLSv1.2 Cipher:
> DHE-RSA-AES256-GCM-SHA384 [...]
> 
> *disconnect*
> 
> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect 
> using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
> 
> Looks like TLS1.2 works just fine in the default configuration 
> (SSLProtocol="all" is the default).
> 
> Let's try your configuration. I'm only going to change SSLProtocol 
> from "all" to "TLSv1":
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> 
> * Restart Tomcat*
> 
> tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: 
> Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA [...]
> 
> Trying again with Firefox 26 give me 
> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
> 
> Let's try restricting to only your cipher. Let's make sure that my 
> OpenSSL version supports it, first:
> 
> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
> Enc=AES(128) Mac=SHA256
> 
> 
> Yup. Let's configure it in Tomcat:
> 
>  protocol="org.apache.coyote.http11.Http11AprProtocol" 
> SSLEnabled="true" secure="true" scheme="https" 
> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" 
> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" 
> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" 
> executor="tomcatThreadPool" URIEncoding="UTF-8" />
> 
> 
> $ openssl s_client -connect myhost:8218 CONNECTED(0003) 
> 139718306563752:error:14077410:SSL 
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
> failure:s23_clnt.c:741:
> 
> $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 
> 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
> alert handshake failure:s3_pkt.c:1256:SSL alert number 40 
> 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl 
> handshake failure:s3_pkt.c:596:
> 
> $ openssl s_client -tls1_1 -connect myhost:8218 
> CONNECTED(0003) 140680041133736:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> 
> $ openssl s_client -tls1_2 -connect myhost:8218 
> CONNECTED(0003) 139976873068200:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> 
> Firefox also fails with "ssl_error_no_cypher_overlap".
> 
> $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
> __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | 
> |___/___/_|___/\___\__,_|_| |_|
> 
> Version 1.8.2 http://www.titania.co.uk Copyright Ian
> Ventura-Whiting 2009
> 
> Testing SSL server myhost on port 8218
> 
> Supported Server Cipher(s): FailedSSLv3  256 bits
> ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
> ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
> ECDHE-RSA-AES256-SHA384 FailedSSLv3  256 bits
> ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
> ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
> ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
> SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
> SRP-RSA-AES-256-CBC-SHA FailedSSLv3  256 bits
> DHE-DSS-AES256-GCM-SHA384 FailedSSLv3  256 bit

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
> Again, we have to submit this as a bug.TLS 1.2 is not working
> in Tomcat

Tomcat 7.0.74
Oracle Java 1.7.0_45
tcnative 1.1.29 trunk (essentially 1.2.29

tcnative$ make clean
tcnative$ ./configure --with-apr=`which apr-config`
- --with-java-home=/usr/local/java-7 --with-ssl
tcnative$ time make
[...]
make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real0m14.790s
user0m15.300s
sys 0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...]
   
[...]

tomcat$ bin/startup.sh

[...]
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
version 1.4.6.
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218
[...]
verify error:num=19:self signed certificate in certificate chain
[...]
SSL-Session:
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384
[...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol="all" is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from "all" to "TLSv1":

   

* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218
[...]
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
[...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256


Yup. Let's configure it in Tomcat:

   


$ openssl s_client -connect myhost:8218
CONNECTED(0003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218
CONNECTED(0003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(0003)
140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(0003)
139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

Firefox also fails with "ssl_error_no_cypher_overlap".

$ $ sslscan myhost:8218
   _
   ___ ___| |___  ___ __ _ _ __
  / __/ __| / __|/ __/ _` | '_ \
  \__ \__ \ \__ \ (_| (_| | | | |
  |___/___/_|___/\___\__,_|_| |_|

  Version 1.8.2
 http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009

Testing SSL server myhost on port 8218

  Supported Server Cipher(s):
FailedSSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDHE-RSA-AES256-SHA384
FailedSSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384
Rejected  SSLv3  256 bits  ECDHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDHE-ECDSA-AES256-SHA
Rejected  SSLv3  256 bits  SRP-DSS-AES-256-CBC-SHA
Rejected  SSLv3  256 bits  SRP-RSA-AES-256-CBC-SHA
FailedSSLv3  256 bits  DHE-DSS-AES256-GCM-SHA384
FailedSSLv3  256 bits  DHE-RSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  DHE-RSA-AES256-SHA256
FailedSSLv3  256 bits  DHE-DSS-AES256-SHA256
Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-CAMELLIA256-SHA
Rejected  SSLv3  256 bits  AECDH-AES256-SHA
Rejected  SSLv3  256 bits  SRP-AES-256-CBC-SHA
FailedSSLv3  256 bits  ADH-AES256-GCM-SHA384
FailedSSLv3  256 bits  ADH-AES256-SHA256
Rejected  SSLv3  256 bits  ADH-AES256-SHA
Rejected  SSLv3  256 bits  ADH-CAMELLIA256-SHA
FailedSSLv3  256 bits  ECDH-RSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDH-ECDSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDH-RSA-AES256-SHA384
FailedSSLv3  256 bits  ECDH-ECDSA-AES256-SHA384
Rejected  SSLv3  256 bits  ECDH-RSA-AES256-SHA
Rejected  SSLv3  256 bits  ECDH-ECDSA-AES256-SHA
  

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 1/3/14, 12:32 PM, Caldarale, Charles R wrote:
>> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re:
>> TLS is not working in 6.0.37, 7.0.42, 7.0.47
> 
>> > protocol="org.apache.coyote.http11.Http11AprProtocol" 
>> maxThreads="200" clientAuth="false" 
>> *SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"*
> 
> Why are there asterisks on that config line?  Remove them if
> they're actually present.  Don't try to get cute with formatting
> tricks like bolding text, since this is a plaintext mailing list.
> 
>> Jan 03, 2014 5:09:49 PM
>> org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
>> OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
> 
> You need to update the OpenSSL version to 1.0.1e, which contains
> fixes for TLS 1.1 and 1.2 negotiation.  Once that's installed (and
> tcnative rebuilt), verify that the desired cipher is available with
> the "openssl ciphers" command.
> 
> You also need to confirm that your client is capable of TLSv1.2
> using the above cipher.  As stated before, getting a Wireshark or
> tcpdump trace of the negotiation would show what the client
> allows.

+1

You might want to look at sslscan, or use
https://www.ssllabs.com/ssltest/index.html to test your server. It can
tell you what ciphers are supported, etc. even if your client is
misbehaving.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyGbmAAoJEBzwKT+lPKRYKg0P/RuZTz7GvueQubDpJHKddZS4
XTYvhSsW9SV2XvXMztBZWWB0NS0D9sRS98d5cdCndbY5LDfzvKLZZwHokR8XKP0N
JmVSvavkcpF3Sro6bayJrcholFhG7pZbsYmRULZKZREwKASzEoOAPcye4HyyjavD
VTUDqitJWLpCXjyuoxNQWCV+OieHy9oOwbTDs6cZgfvJcS2uHOhwmTaZBwxadvJV
E1JfxoXQghXlszDemY/ynbdCiX5NVqaeoNwzSYNshvusGdUoupr0/qQ2Zvd+hWt+
lPUxWZxftfRvLHmASDQPniAieCihDQLufnhFf0k82APlNaOgX+OTkqViOO5ceSin
H0bVA607b/mlUdf9WWmkydpWZdwH8ikiXUkJcNn1kzATaFRnnxnq1ID+A7efKqS1
byAZ1/3Bm7kpTQgcoiJenbfHxgtxZwrksfODl9c+HM54R7y/eUNYLjouoX47d3pb
CeYsYqhQmJtdYSF0Q2bRAlRBl9G8FBjXKhRAnDnkDc6V8FeYk2q/ege5ggrYYJUI
EJjKxmZwOEz3MfX7T8fkYFHCQ0JF7+tSkKpDJDhWV/yXjCvMLJOE4eY1I15byuzC
6StssnHyusbflJTEg8D9qx4WcUgWYeRn/hyQmeU99+RwNhkP/hhPWH3LgA6gcz57
eKjZ56wJPsVmVVGerp2f
=2O14
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mudassir,

On 1/2/14, 7:41 PM, Mudassir Aftab wrote:
> Thanks for keep replying,  is there any way to restrict the cipher
> suite in the connector configuration?
> 
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CB
 C
-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

Read
> 
the documentation for .

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyGYEAAoJEBzwKT+lPKRYG4oQAICufit/CN+CP7QRId3/VceB
qkgPX6Ukl3CAsjjQVytXG60BpuHro/wN15e5qDtFigOlwb1ysPseKX8DwMuLeTqi
xww4aF4nnKt0MauxdD0+hgL404+PbxcC5w6DnHCxMgKSPtYxBY7ocBFMijpKvpzW
cudkLrCiJnu8RTtKBbZc2YX8Caw/oeNOFiMnj4YnUUkV6IGSEonbgp7gRrt6YzBr
EVHTXDN4aA05gV+Z4dF1jBSTveTe33FRwehraCVgGAJoumVVzQWiP8NwYLYLfl0B
/SRm6wSVoWbqQaAuKBZ/tcyN4UczjHficAsSNtViHaJ5JDD05sKWMurA+rGcicZc
PBRqRlbjk1sttQlsjVZwbAfMBGRUuc3Kqaxr5jcO+Clr66zYtLcy8jUiQeHmUTX2
pB7o9T91a3XG613Pl/BiQlAvF2kUtxRC2+AdFsMNX0cnh+vUATCqQTnyHwunYC2M
SDVL4yuSf0ffU2zBIamcTP49VzrCveriEG4Z0qTxkYR2IocylMK0hugtZXuWoQ2V
2D6fBf31oejaIYTqow9J9cEL6JsJPHDuAsImiLpLQdoNicICNc0cHPZBVfzH/iq0
SOKSzD+qeCjEfYHcLS57qmo/aThRwtIJRiYV4GEJM9iHmWzC8ugPV3Gq0GYOe71C
sEbS52NxV4lJUN7rdGuk
=ROfe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Here is my test with latest openssl and tomcat

Tools:
openssl:  1.0.1e
apache-tomcat-7.0.47
apr-1.5.0.
tomcat-native-1.1.29

Connector:



Tomcat Logs:
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3580 ms
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start


Verification Tests:
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1
-cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(0003)
3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers
available:s3_clnt.c:754:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1388841094
Timeout   : 7200 (sec)
Verify return code: 0 (y)
---
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher
ECDHE-ECDSA-AES128-SHA256
CONNECTED(0003)
3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers
available:s23_clnt.c:486:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---



On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers  wrote:

> On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:
>
>> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE:
>>> TLS is not working in 6.0.37, 7.0.42, 7.0.47
>>>
>>
>>  Again, we have to submit this as a bug.TLS 1.2 is not working
>>> in Tomcat
>>>
>>
>> The only evidence you have provided is that your single chosen cipher
>> is not implemented by the version of Firefox you're using - which has
>> nothing to do with Tomcat.  The TCP capture you provided is just text
>> rather than a useful .pcap file, and no one's going to waste their
>> time digging through raw bits when any decent protocol analyzer would
>> do the job automatically.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>> PROPRIETARY MATERIAL and is thus for use only by the intended
>> recipient. If you received this in error, please contact the sender
>> and delete the e-mail and its attachments from all computers.
>>
>
> It's been years (more than I care t

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mark Eggers]

On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:

From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE:
TLS is not working in 6.0.37, 7.0.42, 7.0.47



Again, we have to submit this as a bug.TLS 1.2 is not working
in Tomcat


The only evidence you have provided is that your single chosen cipher
is not implemented by the version of Firefox you're using - which has
nothing to do with Tomcat.  The TCP capture you provided is just text
rather than a useful .pcap file, and no one's going to waste their
time digging through raw bits when any decent protocol analyzer would
do the job automatically.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
PROPRIETARY MATERIAL and is thus for use only by the intended
recipient. If you received this in error, please contact the sender
and delete the e-mail and its attachments from all computers.


It's been years (more than I care to count) since I've read raw packet 
data, but at first glance I do not see the browser (172.16.50.10) 
initiating a TLSv1.2 Client Hello.


I'm looking at the following line:

0030  c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05   .9.8

I expect to see something like:

16 03 01

starting at octet 36. Instead, I see:

00 87 00

I don't know if that's because the information is encrypted, or what. 
However, it doesn't look like what I see when I aim Firefox 26.0 at an 
HTTPS site.


I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or 
CentOS). If so, get that and look for the TLSv1.2 Client Hello coming 
from your browser. If it's not coming from your browser, then something 
else is wrong.


Are you addressing example.com with https://example.com:8443/ in your 
browser?


As has been pointed out, this is an all-volunteer list (taking a break 
from writing an RFP here). Making it difficult to answer questions 
(incorrect, incomplete, or difficult to parse information) will not 
encourage volunteers to step forth.


. . . . Friday night RFP response writing
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[David Kerber]

On 1/3/2014 5:27 PM, Mudassir Aftab wrote:

Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat


I wouldn't be too sure of that.  It might be that Firefox doesn't 
implement your chosen cipher.




On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" 
wrote:


From: Mudassir Aftab [mailto:withmudas...@gmail.com]
Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47



Did you get wireshark filtered output ?


Everybody on this list is a volunteer, with their own real jobs to take
care of.  If you want immediate attention, you bloody well need to pay for
it.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat

The only evidence you have provided is that your single chosen cipher is not 
implemented by the version of Firefox you're using - which has nothing to do 
with Tomcat.  The TCP capture you provided is just text rather than a useful 
.pcap file, and no one's going to waste their time digging through raw bits 
when any decent protocol analyzer would do the job automatically.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat
On Jan 4, 2014 3:16 AM, "Caldarale, Charles R" 
wrote:

> > From: Mudassir Aftab [mailto:withmudas...@gmail.com]
> > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
>
> > Did you get wireshark filtered output ?
>
> Everybody on this list is a volunteer, with their own real jobs to take
> care of.  If you want immediate attention, you bloody well need to pay for
> it.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> Did you get wireshark filtered output ?

Everybody on this list is a volunteer, with their own real jobs to take care 
of.  If you want immediate attention, you bloody well need to pay for it.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Did you get wireshark filtered output ?

Mudassir


On Sat, Jan 4, 2014 at 2:50 AM, Mudassir Aftab wrote:

> Please find attached wireshark file.
>
>
> On Sat, Jan 4, 2014 at 1:59 AM, Caldarale, Charles R <
> chuck.caldar...@unisys.com> wrote:
>
>> > From: Mudassir Aftab [mailto:withmudas...@gmail.com]
>> > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
>>
>> > Also attached TCP dump logs
>>
>> Actually, you only attached the TCP headers, not the full capture.  The
>> headers can't tell us anything.
>>
>> > I am again getting following error on FF26 with TLS 1.2 support
>> > Cannot communicate securely with peer: no common encryption
>> algorithm(s).
>> > (Error code: ssl_error_no_cypher_overlap)
>>
>> Which would again indicate that the client (FF26) does not implement your
>> chosen cipher.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> Also attached TCP dump logs

Actually, you only attached the TCP headers, not the full capture.  The headers 
can't tell us anything.

> I am again getting following error on FF26 with TLS 1.2 support
> Cannot communicate securely with peer: no common encryption algorithm(s).
> (Error code: ssl_error_no_cypher_overlap)

Which would again indicate that the client (FF26) does not implement your 
chosen cipher.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Hi ,

I have compiled tomcat-native-1.1.29-src.tar.gz with 1.0.1e-3ubuntu1 and
test it with fresh apache-tomcat-7.0.47.tar.gz. and with following
connector settings



Tomcat Logs:
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3189 ms
Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 8:25:55 PM org.apache.catalina.util.SessionIdGenerator
createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using
[SHA1PRNG] took [19,247] milliseconds.
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 8:25:56 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 8:25:58 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]

Also attached TCP dump logs , I am again getting following error on FF26
with TLS 1.2 support
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
20:36:23.496965 IP 10.10.0.147.18938 > example.com.8443: Flags [S], seq 
435979095, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:23.497066 IP example.com.8443 > 10.10.0.147.18938: Flags [S.], seq 
1576579154, ack 435979096, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
20:36:23.739969 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 1, win 
4098, length 0
20:36:24.023396 IP 10.10.0.147.18938 > example.com.8443: Flags [P.], seq 1:202, 
ack 1, win 4098, length 201
20:36:24.023471 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 202, 
win 237, length 0
20:36:24.023964 IP example.com.8443 > 10.10.0.147.18938: Flags [P.], seq 1:8, 
ack 202, win 237, length 7
20:36:24.024187 IP example.com.8443 > 10.10.0.147.18938: Flags [F.], seq 8, ack 
202, win 237, length 0
20:36:24.713659 IP 10.10.0.147.18938 > example.com.8443: Flags [F.], seq 202, 
ack 8, win 4096, length 0
20:36:24.713726 IP example.com.8443 > 10.10.0.147.18938: Flags [.], ack 203, 
win 237, length 0
20:36:24.956342 IP 10.10.0.147.18939 > example.com.8443: Flags [S], seq 
3315815756, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:24.956402 IP example.com.8443 > 10.10.0.147.18939: Flags [S.], seq 
3575233717, ack 3315815757, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
20:36:24.956415 IP 10.10.0.147.18938 > example.com.8443: Flags [.], ack 9, win 
4096, length 0
20:36:25.225229 IP 10.10.0.147.18940 > example.com.8443: Flags [S], seq 
821209259, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:25.225278 IP example.com.8443 > 10.10.0.147.18940: Flags [S.], seq 
2980117984, ack 821209260, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
20:36:25.468393 IP 10.10.0.147.18939 > example.com.8443: Flags [.], ack 1, win 
4098, length 0
20:36:25.468436 IP 10.10.0.147.18939 > example.com.8443: Flags [P.], seq 1:180, 
ack 1, win 4098, length 179
20:36:25.468481 IP example.com.8443 > 10.10.0.147.18939: Flags [.], ack 180, 
win 237, length 0
20:36:25.469227 IP example.com.8443 > 10.10.0.147.18939: Flags [P.], 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Hi,

I am getting following error while compiling tomcat-native-1.1.29-src with
1.0.1e-3ubuntu1, shell i ignore this ?

src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_make':
src/sslcontext.c:77:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_client_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
  ^
src/sslcontext.c:79:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_server_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
  ^
src/sslcontext.c:81:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Sanaullah [mailto:sanaulla...@gmail.com] 
> Subject: Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> The Document which you were referring
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
> is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
> Attribute.

TLSv1.1 and TLSv1.2 are included in TLSv1, when using the appropriate ciphers.

> TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
> TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
> http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

That's backwards; TLSv1.1 and TLSv1.2 are used automatically if TLSv1 is 
enabled and the client and server support v1.1 or v1.2 ciphers.

>  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
>  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
>  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
>  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384

Those all appear to be supported in OpenSSL 1.0.1e.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Hi,

I  just bold it from GMAIL :)

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

>  protocol="org.apache.coyote.http11.Http11AprProtocol"
>maxThreads="200"
>clientAuth="false"
>*SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"*

Why are there asterisks on that config line?  Remove them if they're actually 
present.  Don't try to get cute with formatting tricks like bolding text, since 
this is a plaintext mailing list.

> Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)

You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 
1.1 and 1.2 negotiation.  Once that's installed (and tcnative rebuilt), verify 
that the desired cipher is available with the "openssl ciphers" command.

You also need to confirm that your client is capable of TLSv1.2 using the above 
cipher.  As stated before, getting a Wireshark or tcpdump trace of the 
negotiation would show what the client allows.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[David kerber]

On 1/3/2014 12:14 PM, Mudassir Aftab wrote:

*Connector Settings:*



Do you really have the asterisks around this in your config?



scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/home/mudassir/pay/p.pem"
SSLCertificateKeyFile="/home/mudassir/p-key.pem"
SSLCACertificateFile="/home/mudassir/AdminCA1.pem" />

*Tomcat Logs:*







*Firefox Error: Version 26*

Secure Connection Failed

An error occurred during a connection to pay.upaga.net:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)


Does firefox support "ECDHE-ECDSA-AES128-SHA256"?  I don't know...



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

*Connector Settings:*



*Tomcat Logs:*
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 03, 2014 5:09:50 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2757 ms
Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 5:09:51 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 5:09:54 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]



*Firefox Error: Version 26*

Secure Connection Failed

An error occurred during a connection to pay.upaga.net:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[David kerber]

On 1/3/2014 11:18 AM, Mudassir Aftab wrote:

then what could be the working config !!! , can u edit and send it to me ?

Regards,
Mudassir Aftab



Go back and read this thread carefully.  There have been several errors 
pointed out to you which you haven't yet fixed.  Fix them (proofreading 
carefully!), test it, and if it still doesn't work, post your full config.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

then what could be the working config !!! , can u edit and send it to me ?

Regards,
Mudassir Aftab

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: David kerber [mailto:dcker...@verizon.net] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> > Sorry for asking u same thing again and again, i have tried many things
> > from above document, but nothing works for me, also no errors in the log
> >  > protocol="org.apache.coyote.http11.Http11AprProtocol"
> > maxThreads="200"
> > clientAuth="false"
> > ciphers="ECDH-ECDSA-AES128-GCM-SHA256"
> > scheme="https" secure="true" SSLEnabled="true"
> > SSLCertificateFile="/home/mudassir/pay/p.pem"
> > SSLCertificateKeyFile="/home/mudassir/p-key.pem"
> > SSLCACertificateFile="/home/mudassir/AdminCA1.pem" />
> >
> >SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256"

> If what you list here is what is really in your config file, you're not 
> proofreading your configuration entries very well.  You have 
> SSLCipherSuite misspelled (two missing letters), and it's not inside the 
> connector configuration entry.

Not to mention still having the ciphers attribute, which is not used with APR.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

also following setting is working for TLS v1 but not with TLS v1.2, so its
a bug !!! 







On Fri, Jan 3, 2014 at 6:56 PM, Mudassir Aftab wrote:

> HI,
>
> That was just typo error but on system it is fine and i am keep checking
> logs, no warning in it
>
> also what about following post
>
>
> I just also took interest to dig this issue.
>
> The Document which you were referring
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
> is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
> Attribute.
>
> SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
> TLSV1.
>
> TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
> TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl
> link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites
>
> I am happy to see if someone enabled below ciphers without enabling the
> TLSv1.2
>
>  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
>  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
>  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
>  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384
>
>
>
>
> On Fri, Jan 3, 2014 at 6:00 PM, David kerber  wrote:
>
>> On 1/3/2014 3:28 AM, Mudassir Aftab wrote:
>>
>>> Hi,
>>>
>>> Sorry for asking u same thing again and again, i have tried many things
>>> from above document, but nothing works for me, also no errors in the log
>>>
>>> >> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> maxThreads="200"
>>> clientAuth="false"
>>> ciphers="ECDH-ECDSA-AES128-GCM-SHA256"
>>> scheme="https" secure="true" SSLEnabled="true"
>>> SSLCertificateFile="/home/mudassir/pay/p.pem"
>>> SSLCertificateKeyFile="/home/mudassir/p-key.pem"
>>> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" />
>>>
>>>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256"
>>>
>>> I really appreciate your help
>>>
>>>
>> If what you list here is what is really in your config file, you're not
>> proofreading your configuration entries very well.  You have SSLCipherSuite
>> misspelled (two missing letters), and it's not inside the connector
>> configuration entry.
>>
>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

HI,

That was just typo error but on system it is fine and i am keep checking
logs, no warning in it

also what about following post

I just also took interest to dig this issue.

The Document which you were referring
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
Attribute.

SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
TLSV1.

TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

I am happy to see if someone enabled below ciphers without enabling the
TLSv1.2

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384




On Fri, Jan 3, 2014 at 6:00 PM, David kerber  wrote:

> On 1/3/2014 3:28 AM, Mudassir Aftab wrote:
>
>> Hi,
>>
>> Sorry for asking u same thing again and again, i have tried many things
>> from above document, but nothing works for me, also no errors in the log
>>
>> > protocol="org.apache.coyote.http11.Http11AprProtocol"
>> maxThreads="200"
>> clientAuth="false"
>> ciphers="ECDH-ECDSA-AES128-GCM-SHA256"
>> scheme="https" secure="true" SSLEnabled="true"
>> SSLCertificateFile="/home/mudassir/pay/p.pem"
>> SSLCertificateKeyFile="/home/mudassir/p-key.pem"
>> SSLCACertificateFile="/home/mudassir/AdminCA1.pem" />
>>
>>SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256"
>>
>> I really appreciate your help
>>
>>
> If what you list here is what is really in your config file, you're not
> proofreading your configuration entries very well.  You have SSLCipherSuite
> misspelled (two missing letters), and it's not inside the connector
> configuration entry.
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[David kerber]

On 1/3/2014 3:28 AM, Mudassir Aftab wrote:

Hi,

Sorry for asking u same thing again and again, i have tried many things
from above document, but nothing works for me, also no errors in the log



   SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256"

I really appreciate your help



If what you list here is what is really in your config file, you're not 
proofreading your configuration entries very well.  You have 
SSLCipherSuite misspelled (two missing letters), and it's not inside the 
connector configuration entry.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Hi,

Sorry for asking u same thing again and again, i have tried many things
from above document, but nothing works for me, also no errors in the log

   

  SSCipherSuit="ECDH-ECDSA-AES128-GCM-SHA256"

I really appreciate your help

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> Should i use following APR connector attribute ?
>protocol="org.apache.coyote.http11.Http11AprProtocol"
>maxThreads="200"
>sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"
>clientAuth="false"
>ciphers="AES256-SHA256"
>scheme="https" secure="true" SSLEnabled="true"
>SSLCertificateFile="p.pem"
>SSLCertificateKeyFile="key.pem"
>SSLCACertificateFile="AdminCA1.pem" />

For the third time, the APR  has no sslProtocol nor 
sslEnabledProtocols attributes; the proper ones for specifying the protocol and 
encryption algorithms are SSLProtocol and SSLCipherSuite, respectively.  For 
the last time, read the doc:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

(If you don't start paying attention to the responses you're getting, you will 
end up just being ignored.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Should i use following APR connector attribute ?

   

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

How can i specify AES256-SHA256 cipher in tomcat connector? or where should
i specify this ?

Regards,
Mudassir Aftab

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Also how can i restrict cipher in the connector ??

Testing localhost:8443
** TLSv1:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:ADH-AES128-SHA - ENABLED - WEAK 128 bits **
** TLSv1:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:ADH-AES256-SHA - ENABLED - WEAK 256 bits **
** TLSv1:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits **
** TLSv1:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:ADH-RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv3:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:ADH-AES128-SHA - ENABLED - WEAK 128 bits **
** SSLv3:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:ADH-AES256-SHA - ENABLED - WEAK 256 bits **
** SSLv3:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits **
** SSLv3:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:ADH-RC4-MD5 - ENABLED - WEAK 128 bits **




On Fri, Jan 3, 2014 at 5:58 AM, Mudassir Aftab wrote:

> How can i test this ? can i test this with Firefox 25 ?
>
>
> Regards,
> Mudassir Aftab
>
>
> On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab wrote:
>
>> Thanks for keep replying,  is there any way to restrict the cipher suite
>> in the connector configuration?
>>
>>
>> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
>>
>>
>>
>> On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote:
>>
>>> I have just configured latest version , following is the log
>>>
>>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
>>> init
>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
>>> version 1.5.0.
>>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
>>> init
>>>
>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>>> [false], random [true].
>>> Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
>>> initializeSSL
>>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
>>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>>> INFO: Initializing ProtocolHandler ["http-apr-8443"]
>>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>>> INFO: Initializing ProtocolHandler ["http-apr-8080"]
>>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>>> INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
>>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
>>> INFO: Initialization processed in 3145 ms
>>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
>>> startInternal
>>> INFO: Starting service Catalina
>>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
>>> startInternal
>>> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
>>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
>>> deployDirectory
>>> INFO: Deploying web application directory
>>> /opt/tomcat7/webapps/host-manager
>>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>>> deployDirectory
>>> INFO: Deploying web application directory /opt/tomcat7/webapps/docs
>>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>>> deployDirectory
>>> INFO: Deploying web application directory /opt/tomcat7/webapps/manager
>>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>>> deployDirectory
>>> INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
>>> Jan 03, 2014 12:34:05 AM org.apache.c

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Don't top post - it makes it really hard to follow the conversation.

> is there any way to restrict the cipher suite in
> the connector configuration?

You were already told how:

> > You can also set SSLCipherSuite to avoid enabling insecure encryption 
> > mechanisms (see 
> > http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

How can i test this ? can i test this with Firefox 25 ?


Regards,
Mudassir Aftab


On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab wrote:

> Thanks for keep replying,  is there any way to restrict the cipher suite
> in the connector configuration?
>
>
> ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
>
>
>
> On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote:
>
>> I have just configured latest version , following is the log
>>
>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
>> init
>> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
>> version 1.5.0.
>> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
>> init
>>
>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>> [false], random [true].
>> Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
>> initializeSSL
>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>> INFO: Initializing ProtocolHandler ["http-apr-8443"]
>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>> INFO: Initializing ProtocolHandler ["http-apr-8080"]
>> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
>> INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
>> INFO: Initialization processed in 3145 ms
>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
>> startInternal
>> INFO: Starting service Catalina
>> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
>> startInternal
>> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
>> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
>> deployDirectory
>> INFO: Deploying web application directory
>> /opt/tomcat7/webapps/host-manager
>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>> deployDirectory
>> INFO: Deploying web application directory /opt/tomcat7/webapps/docs
>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>> deployDirectory
>> INFO: Deploying web application directory /opt/tomcat7/webapps/manager
>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>> deployDirectory
>> INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
>> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
>> deployDirectory
>> INFO: Deploying web application directory /opt/tomcat7/webapps/examples
>> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
>> INFO: Starting ProtocolHandler ["http-apr-8443"]
>> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
>> INFO: Starting ProtocolHandler ["http-apr-8080"]
>> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
>> INFO: Starting ProtocolHandler ["ajp-apr-8009"]
>> Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
>> INFO: Server startup in 7422 ms
>>
>>
>>
>> On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> Mudassir,
>>>
>>> On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
>>> > >> > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"
>>>
>>> Setting sslProtocol and sslEnabledProtocols will not aff

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Thanks for keep replying,  is there any way to restrict the cipher suite in
the connector configuration?

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5



On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab wrote:

> I have just configured latest version , following is the log
>
> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
> version 1.5.0.
> Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
>
> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
> [false], random [true].
> Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
> initializeSSL
> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-apr-8443"]
> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-apr-8080"]
> Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 3145 ms
> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
> startInternal
> INFO: Starting service Catalina
> Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
> startInternal
> INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
> Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory /opt/tomcat7/webapps/docs
> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory /opt/tomcat7/webapps/manager
> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
> Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
> deployDirectory
> INFO: Deploying web application directory /opt/tomcat7/webapps/examples
> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-apr-8443"]
> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-apr-8080"]
> Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["ajp-apr-8009"]
> Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
> INFO: Server startup in 7422 ms
>
>
>
> On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Mudassir,
>>
>> On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
>> > > > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"
>>
>> Setting sslProtocol and sslEnabledProtocols will not affect an
>> OpenSSL-based connector (which you have configured). As Chuck
>> previously stated, you need to use different configuration attributes
>> when using OpenSSL. Please read the documentation for the APR
>> connector and t

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

I have just configured latest version , following is the log

Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3145 ms
Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]
Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7422 ms



On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mudassir,
>
> On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
> >  > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"
>
> Setting sslProtocol and sslEnabledProtocols will not affect an
> OpenSSL-based connector (which you have configured). As Chuck
> previously stated, you need to use different configuration attributes
> when using OpenSSL. Please read the documentation for the APR
> connector and those configuration attributes that affect the SSL engine.
>
> You might want to tell us how you are trying to connect, too. Also,
> run "openssl ciphers" on your system to see what ciphers are supported
> by your OpenSSL, and compare those to the list supported by your
> client. Perhaps you have a legitimate mismatch and TLS 1.2 itself
> isn't the problem.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO
> NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG
> ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO
> dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo
> B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6
> dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP
> tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6
> fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY
> b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV
> kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS
> FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT
> HzFL8i8XSzQPIOQTM47s
> =xCfN
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mudassir,

On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
>  sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"

Setting sslProtocol and sslEnabledProtocols will not affect an
OpenSSL-based connector (which you have configured). As Chuck
previously stated, you need to use different configuration attributes
when using OpenSSL. Please read the documentation for the APR
connector and those configuration attributes that affect the SSL engine.

You might want to tell us how you are trying to connect, too. Also,
run "openssl ciphers" on your system to see what ciphers are supported
by your OpenSSL, and compare those to the list supported by your
client. Perhaps you have a legitimate mismatch and TLS 1.2 itself
isn't the problem.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO
NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG
ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO
dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo
B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6
dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP
tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6
fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY
b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV
kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS
FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT
HzFL8i8XSzQPIOQTM47s
=xCfN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

I have also tried to apply following patch in tomcat native but it did not
helped.

https://issues.apache.org/bugzilla/attachment.cgi?id=30150

tomcat-native-1.1.29-src.tar.gz


On Fri, Jan 3, 2014 at 5:21 AM, Mudassir Aftab wrote:

> Hi ,
>
> Thanks for reply,
>
> I am using following environment
>
> Description:Ubuntu 12.04.3 LTS
> javac 1.7.0_45
> apache-tomcat-7.0.42.tar.gz
> apr-1.5.0.tar.gz
> tomcat-native-1.1.29-src.tar.gz
> openssl 1.0.1-4ubuntu5.10
>
> and this how i am configuring Tomcat Native
>
> ./configure --with-apr=/usr/local/apr/bin/apr-1-config
> --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME
>
> export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/tomcat7/lib"
>
> Server.xml:
>
>maxThreads="200"
> sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2"
>clientAuth="false"
>
>scheme="https" secure="true" SSLEnabled="true"
>SSLCertificateFile="/home/mudassir/cert.pem"
>SSLCertificateKeyFile="/home/mudassir/cert-key.pem"
>SSLCACertificateFile="/home/mudassir/CA.pem" />
>
> Regards,
> Mudassir Aftab
>
>
>
> On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R <
> chuck.caldar...@unisys.com> wrote:
>
>> > From: Mudassir Aftab [mailto:withmudas...@gmail.com]
>> > Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47
>>
>> > I need TLSv1.2 support for tomcat
>>
>> That's available by default with current OpenSSL versions.
>>
>> > Also what will be the preferable connector settings ?
>>
>> Whatever you need them to be.  The values depend entirely on your
>> applications and environment.
>>
>> > I am using following connector in Apache Tomcat/7.0.42
>> > >  . . .
>> >sslEnabledProtocols="TLSv1.2"
>>
>> The above attribute is for the BIO and NIO connectors, not the APR one
>> you are using.  You should instead specify:
>>SSLProtocol="TLSv1"
>> if you want to eliminate SSLv3 (but your client might not like that).
>>  You can also set SSLCipherSuite to avoid enabling insecure encryption
>> mechanisms (see
>> http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).
>>
>> > An error occurred during a connection to confidential.com:8443. Cannot
>> > communicate securely with peer: no common encryption algorithm(s).
>>
>> This means the client you're using and your build of OpenSSL have nothing
>> in common.  Use Wireshark or tcpdump and determine just which protocols
>> your client is attempting to negotiate with, and insure that those are
>> enabled in your build of OpenSSL.
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Mudassir Aftab]

Hi ,

Thanks for reply,

I am using following environment

Description:Ubuntu 12.04.3 LTS
javac 1.7.0_45
apache-tomcat-7.0.42.tar.gz
apr-1.5.0.tar.gz
tomcat-native-1.1.29-src.tar.gz
openssl 1.0.1-4ubuntu5.10

and this how i am configuring Tomcat Native

./configure --with-apr=/usr/local/apr/bin/apr-1-config
--with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME

export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/opt/tomcat7/lib"

Server.xml:
   

Regards,
Mudassir Aftab



On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Mudassir Aftab [mailto:withmudas...@gmail.com]
> > Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47
>
> > I need TLSv1.2 support for tomcat
>
> That's available by default with current OpenSSL versions.
>
> > Also what will be the preferable connector settings ?
>
> Whatever you need them to be.  The values depend entirely on your
> applications and environment.
>
> > I am using following connector in Apache Tomcat/7.0.42
> >   . . .
> >sslEnabledProtocols="TLSv1.2"
>
> The above attribute is for the BIO and NIO connectors, not the APR one you
> are using.  You should instead specify:
>SSLProtocol="TLSv1"
> if you want to eliminate SSLv3 (but your client might not like that).  You
> can also set SSLCipherSuite to avoid enabling insecure encryption
> mechanisms (see
> http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).
>
> > An error occurred during a connection to confidential.com:8443. Cannot
> > communicate securely with peer: no common encryption algorithm(s).
>
> This means the client you're using and your build of OpenSSL have nothing
> in common.  Use Wireshark or tcpdump and determine just which protocols
> your client is attempting to negotiate with, and insure that those are
> enabled in your build of OpenSSL.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

[Caldarale, Charles R]

> From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
> Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47

> I need TLSv1.2 support for tomcat

That's available by default with current OpenSSL versions.

> Also what will be the preferable connector settings ?

Whatever you need them to be.  The values depend entirely on your applications 
and environment.

> I am using following connector in Apache Tomcat/7.0.42
> sslEnabledProtocols="TLSv1.2"

The above attribute is for the BIO and NIO connectors, not the APR one you are 
using.  You should instead specify:
   SSLProtocol="TLSv1"
if you want to eliminate SSLv3 (but your client might not like that).  You can 
also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see 
http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

> An error occurred during a connection to confidential.com:8443. Cannot
> communicate securely with peer: no common encryption algorithm(s).

This means the client you're using and your build of OpenSSL have nothing in 
common.  Use Wireshark or tcpdump and determine just which protocols your 
client is attempting to negotiate with, and insure that those are enabled in 
your build of OpenSSL.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org