Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chris, On 11.10.2013 18:02, Christopher Schultz wrote: Also, a bit of a brainstorming now: could this whole thing be IP protocol issue? I've seen similar behavior before, albeit not in context of SSL handshake: client tries to connect using IPv6 address, but firewall doesn't allow it, so client falls back to IPv4 and successfully connects. I would expect that to happen during a single run of the client. Plus, Chirag indicated that he can see the connection occur, then fail. So it's not a firewall, IPv4/6 issue. I stand corrected; the symptoms are definitely different than IP protocol fallback. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 10/10/13 5:23 PM, Ognjen Blagojevic wrote: Chris, On 10.10.2013 19:11, Christopher Schultz wrote: Also, Chirag has the connector supporting only TLS, so SSLv2 HELLO should indeally fail entirely. Setting attribute sslProtocol=TLS may actually enable all protocols from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting something like sslProtocol=TLSv1.1 would enable the same group of protocols. Tomcat docs clearly warns about that behavior (HTTP connector): sslProtocol - The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If you really only want to use TLS but support SSLv2 HELLOs, it's not entirely clear to me what setting you want here (sslEnabledProtocols), with sslProtocol, etc. I suspect what you want is this: sslProtocol=TLS sslEnabledProtocols=TLS, SSLv2Hello Chirag, give that a try and see if your problems are solved. That is not valid configuration. TLS is not legal value for attribute sslEnabledProtocols, and it will be ignored. SSLv2Hello is not legal without any other secure protocol so JSSE will throw an exception. Something like sslProtocol=TLS sslEnabledProtocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2 would be valid config for what you propose. Thanks for clearing that up. I've never used JSSE for SSL so I haven't been through the ringer. It would also help to track down the cause of the problem, if Chirag sends handshake logs of failing and successful handshake. Also, a bit of a brainstorming now: could this whole thing be IP protocol issue? I've seen similar behavior before, albeit not in context of SSL handshake: client tries to connect using IPv6 address, but firewall doesn't allow it, so client falls back to IPv4 and successfully connects. I would expect that to happen during a single run of the client. Plus, Chirag indicated that he can see the connection occur, then fail. So it's not a firewall, IPv4/6 issue. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSWCD1AAoJEBzwKT+lPKRYvg0QAMMP8pQKsa+3T6U6stUYYviB rOn4yBMaiCheHJJKxyRHeC0xwdbV2rahwG05UBKpm9RgufXmMWXBzS1ZQquFlLD/ wrqIF/gZvnxmno4w7xamq/nfxdnsj92iKlgxCIJSY9BPM9kaZBTC3tS0cKn3PBRT +Cdnrsj8vhRZhqNCZA10Zn45RGtm5jzZY6U0P1K/9YW9qUDe+2GKiBBU+swoKGXy sHaIC8cnHkxHW+W/sr1B7pr4md5s8IeYRIPMbAgJTRW92XZhIUd9BCMUsVgGqGtc /cCpDsVNVfRhYrbLvIqyIISZClxZK7eA1dQwkZpWhMOFGqriibsni9TypB5Gnt/U VS+SziZzIWGmLndrnIeHVhNPTVHQtgqw2MGUQNR1yjAIDJfWwvOc7AkDB1/BjwPc j15m5pOwEnnA25P7tkjDjJyNrIbTz4RCDmT3A9gk4efLzsBVZ8t9LfObmvDAmAHL gKo1zgKJJvBAQyi+BwRMPLWvyyTc6SqTcz9RXpR5PtQNMmcypzFpDKGo81WYb/1j qPYYZyLYK14kk5qdwjgTXkwOcTp2zOy0iGc+binLfAJQvtxTLhQ/S3KSG/1e6LOT zB52LgTaC1ipbvprxBO4FhVVeuBU/rgnvbrWcN6iNkyAaCBq2zdpffiAdyP8uOnY 6y0vLA1ZKmmZkcAXMXNx =dgx+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/10/13 9:46 PM, Chirag Dewan wrote: Hi All, Thanks a lot for your assistance. I enabled these protocols but that dint help. Finally after 24 hours of digging in I figured out the problem. We found out that the clients connection timeout was close to around 80mins(which is inexplicable) and there is a firewall in between the client and the server. After 60sec(server timeout) server sent a FIN to the client, but there is no ACK from the other side and server connection closes. So if the next request comes within 80mins it tries to use the connection which is in TIME_WAIT state,and thus fails since SSL handshaking is closed by the server. And second request onwards handshaking happens again. Wait, what? You have a client that makes an SSL connection and then waits 80 minutes before terminating the connection? I thought you said you were seeing errors on the /server/ side... is this all what you have been seeing at the /client/? It sounds like this client has all kinds of problems with it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSWCFxAAoJEBzwKT+lPKRYms8QAK92I0VO2AJkjblyXAHJ6/jo qDiX8bgkQAckRoxZ9/NBHHPzczMveWClTlqA0HJgBwVNUPXQK/zfM1f5UNWQvFws /90Pwg7GyWnVvCFpoBc2lwZioTCX1HoMLypOcxNIGSm9BM9orplQtZN79VqIqF9c YQ0OMffw8KI1NO+PSCFLnffiY2lvqRorRK+j1frx+MUc5INNqN1GeuQ2OUZvov+e c8+NJoEJt4dpg/lqGKxDbpx5zHtNxvKsf2Kqm7B177PuhM97sSGkLc8nIoAaFQgl E2AgmfeClmUWKurpOS5KCGZis/sn2/RPIOI0FbRQCk7Lyp+cSDNLrjyfxfvkTPLh ToH1JpqmlZ0tlWJ3ViIw4pZ7+1eTqnYRJXiHAhyhyAEK99skYSZTX3fvPsuHj8mq hHj9QgZm9vLpsLEIir2fxAYmBOfR3GcQZ+rx9We2EmrC4304pbtrB6E2geOIgx0j 3DvD3m0xMOocULlBJQtTdlnFkUYE1pF4HymUTCdEQZRcfBUP+cZUlCgg4GD+RHdP e8kfuDNtBCiTm9T8qldn9XjMJvbXOPPkpD38MryprtYRMDcKel2MH6wVHGM7BDrf bpYfpaoNdI2Y1stYICRvhaB7Hl/Ul+IzUiRH5uhnapCOHKcdJUelmbPug7n3uSDI vp8AcPPqRgfjSoBKjAXq =eGCg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chirag, On 10.10.2013 6:19, Chirag Dewan wrote: A small update. The customers client is C++ client,which uses OpenSSL. And I found that client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol. Is there something I am missing? There is a difference in SSLv2 protocol and SSLv2Hello pseudo-protocol. SSLv2 is basically broken (although a lot of badly configured servers still support it). SSLv3, and TLS protocol specifications allow that handshake happens in SSLv2 format, and then to immediately switch to SSLv3 or TLS. This is also known as SSLv2Hello pseudo-protocol. It is done for compatibility reasons, and it is considered relatively safe. It is what you are observing, and is perfectly normal. In Tomcat you may specify which exact protocols to use, by setting sslEnabledProtocols attribute on HTTP connector (Tomcat 7/8 and Tomcat 6.0.38+), or undocumented protocols attribute (versions prior to 6.0.38). Those attributes may take one or more of the following values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello. Of course, it is recommended not to use SSLv2, but you may use SSLv2Hello (among others), to ensure compatibility. Note that aforementioned attributes are somehow related to attribute sslProtocol, which, by itself selects a group of enabled protocols. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 10/10/13 4:11 AM, Ognjen Blagojevic wrote: On 10.10.2013 6:19, Chirag Dewan wrote: A small update. The customers client is C++ client,which uses OpenSSL. And I found that client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol. Is there something I am missing? There is a difference in SSLv2 protocol and SSLv2Hello pseudo-protocol. SSLv2 is basically broken (although a lot of badly configured servers still support it). +1 Also, Chirag has the connector supporting only TLS, so SSLv2 HELLO should indeally fail entirely. SSLv3, and TLS protocol specifications allow that handshake happens in SSLv2 format, and then to immediately switch to SSLv3 or TLS. This is also known as SSLv2Hello pseudo-protocol. It is done for compatibility reasons, and it is considered relatively safe. It is what you are observing, and is perfectly normal. +1 OpenSSL (and others) are capable of making SSLv2 HELLO calls but then not actually using SSLv2... this is the default in a lot of places because old clients and servers still use SSLv2 HELLOs. It's a way to get around the fact that SSLv2 has essentially been eradicated from the planet but nobody wants connection errors just in case. In Tomcat you may specify which exact protocols to use, by setting sslEnabledProtocols attribute on HTTP connector (Tomcat 7/8 and Tomcat 6.0.38+), or undocumented protocols attribute (versions prior to 6.0.38). Those attributes may take one or more of the following values: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello. Of course, it is recommended not to use SSLv2, but you may use SSLv2Hello (among others), to ensure compatibility. If you really only want to use TLS but support SSLv2 HELLOs, it's not entirely clear to me what setting you want here (sslEnabledProtocols), with sslProtocol, etc. I suspect what you want is this: sslProtocol=TLS sslEnabledProtocols=TLS, SSLv2Hello Chirag, give that a try and see if your problems are solved. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVt+uAAoJEBzwKT+lPKRYHDgP/jjgBDAQQ2/cd6qtDVCGLC5+ /KWHpdj22KkIkkAjV05iyM+aHwU4pLfPHW0GT5j5UD8cXq4pFQdDO+nifTaZvkc3 2PgiglRum5TfEX4aldXZ7TY7Ld3XwuajqNIPd1kOoEJwqMXRmb6EWR79DPbuKy5X ok7pYYqrmpqe0UTrLM52SIBg+3eygkfFyY0I/m6/xdxdgsOrHjNF1k1P5A8geCNL p5rSU8PR0b9imKA4vBov4Vc6rdysEEPIZxGmiZIuY8hS1WF+k6VLiggcegXfiieV btoybYEsCOpCeatx5Z49byBW3aZeKoqIRc0G+hW+hMpPn4UP4DLlhlVbdG1K5kRR boKu62S+QwWz8fKF8gEtH5AK1A5Y9bhLjd6UrTV1c9MWpP+tjxiqNby+X6DAGUhZ uQkBJGymL3S4zIACLROyowyIB70hlDZHeflXqBlzg/TeiFE+U+h8ySSz35V2JcbF Drk7UkeHzhVSGl9mNG5tgHrT8UziXD4kucPVLIbTU2bCvyDkc2eb5uQca+tV42zH 1tcRVAnA4ULzIyzspq0SHwdVNCHZeuwLL9TbLI268PwJtjUgSeCxOhMiWFysBahK PnwyeliIzxJHQzO6d8zOlAsF3l1cJ7iwIJKbQiFgr95e7RPd3g86ZHtNoTCQWDsR NHnhGB6C9UuNR5RqASsm =EpYT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chris, On 10.10.2013 19:11, Christopher Schultz wrote: Also, Chirag has the connector supporting only TLS, so SSLv2 HELLO should indeally fail entirely. Setting attribute sslProtocol=TLS may actually enable all protocols from SSLv3 to TLSv1.2, plus SSLv2Hello. Even setting something like sslProtocol=TLSv1.1 would enable the same group of protocols. Tomcat docs clearly warns about that behavior (HTTP connector): sslProtocol - The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If you really only want to use TLS but support SSLv2 HELLOs, it's not entirely clear to me what setting you want here (sslEnabledProtocols), with sslProtocol, etc. I suspect what you want is this: sslProtocol=TLS sslEnabledProtocols=TLS, SSLv2Hello Chirag, give that a try and see if your problems are solved. That is not valid configuration. TLS is not legal value for attribute sslEnabledProtocols, and it will be ignored. SSLv2Hello is not legal without any other secure protocol so JSSE will throw an exception. Something like sslProtocol=TLS sslEnabledProtocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2 would be valid config for what you propose. It would also help to track down the cause of the problem, if Chirag sends handshake logs of failing and successful handshake. Also, a bit of a brainstorming now: could this whole thing be IP protocol issue? I've seen similar behavior before, albeit not in context of SSL handshake: client tries to connect using IPv6 address, but firewall doesn't allow it, so client falls back to IPv4 and successfully connects. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi All, Thanks a lot for your assistance. I enabled these protocols but that dint help. Finally after 24 hours of digging in I figured out the problem. We found out that the clients connection timeout was close to around 80mins(which is inexplicable) and there is a firewall in between the client and the server. After 60sec(server timeout) server sent a FIN to the client, but there is no ACK from the other side and server connection closes. So if the next request comes within 80mins it tries to use the connection which is in TIME_WAIT state,and thus fails since SSL handshaking is closed by the server. And second request onwards handshaking happens again. Appreciate all of you for your help. Chirag. Sent from Yahoo! Mail on Android
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi Chris, Thanks for the code,it helped a lot. Now,using that code on my server machine I found out that TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA is not even in the defaults ciphers for jdk1.6.0_39. Isn't this a strange behaviour? Server can only select available ciphers,I suppose. Thanks Chirag On Tuesday, 8 October 2013 9:10 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 6:01 AM, Chirag Dewan wrote: I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. How, specifically? What do you observe on the server? What do you observe on the client? From second request, handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite, only then the Server sends a reset to the client and the handshaking fails. On second request, with same cipher suite,it works fine. So the first request and second request seem to both negotiate the same cipher suite (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) but the first one fails? Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cipher suite? Or any other way that I can resolve this issue. See the Connector documentation, specifically the cipherSuites attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. See this thread in the archives for a short program that will dump-out the available cipher suites and indicates which ones are available by default in your environment (note that the results will change for every different version of Java you use): http://markmail.org/message/zn4namfhypyxum23 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVCdnAAoJEBzwKT+lPKRYM9cP/3GztDeXBYguwJ/Q+YBnNSea NzEQuJXFmaSJhhhCP4NMrHz0Fq4zZlKu9khxicK4gwcfGuCZ0i2BkNx1jZh9wgOF aedSeZinpXtF5L+EiWUCm9Xz2yPHuX40+VIaW9X4/TfG+DMcDVvFFAH1onjHQ5im KECrmK5ratXmVfm9o37SrXItoqNFLqk70mxcZlVec40fp7nu3Bn2ReMIKcSCSXcb Sr97cHlRD8yMBqTn42RNTSzfFfJ/5TFNzmwXzlrSJcWO+6mpKYmXXdbJc3voNd3W e+ZWmJQheJEVm6n86z2PMqwJyBtaiNFRxOxbeXHtU1BwemhSAP1EVPtZSUKQ5k+4 vHbZ4CfhuSgM6IaoTZjqqZkvch4POTLUWPArFJeEyOS8p9vayNoVhFectMtutR4O zHxanjckpCgJYp5w82jRaZ4Xs9SojTedHn6gSElxZK94fg9H4dL6g43h+zSpnuJC 0KF4U47FMklZJBikjDXbkcH3YY8Bd+e+5JMl2Uu+TyjG12Cj6wxyOKM4ubAF7pMO IZbs9WEgHx2Oj515RgFNQGF8uXLysLo4uBiCbTEvFQ3T/eGrSzvYi6kLKi/izPuc TbSYcS1UEAiRKABPMRbUKDqmD6IOTOjbR66lamwTzNFvsyH+BhoaB1RVHy9TUC2U YicDQSfyb9kfCnANiGwR =pYDx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 9:48 PM, Chirag Dewan wrote: For this particular cipher, the server sends a RST to the client after the certificate exchange is done. And the handshaking fails,for the first time only. Second request onwards handshaking happens and the traffic flows as usual. When you say first and second request... are you talking about the first and second request that the server receives since it's been started, or are you talking about the first and second requests that the client makes without restarting? What action resets the experiment? I'm wondering if the server gets fixed or the client. What I understand is,I can provide a set of ciphers to the connector and the client will select from that particular set and can thus avoid the particular cipher. Can I do this in embedded tomcat? And what set of ciphers should I allow with that connector? I'm not sure why the embedded case would be any different from the non-embedded case... you are setting-up your connectors in a standard way, right? Maybe if you posted some code... - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVUfzAAoJEBzwKT+lPKRY/isP/RCAEn9zkHU2pl2zowwP5s0R lqsa3QcXuOWpBN3UUa/+HYCJ2CorldBplISSd2lSeReAAJu0XdvnKW8ObizmXFyD +Rx8PjgJlLjImJZGmTObJGSBbuk9NqnsG0AkoZ3/ERTE8mLJtsS3cxMMWCMCKtL1 VIhgQDfDy2e2NSBKQHtTGPUaqvpV5MVeeox6/M73n+t2ZoD8rtpi8OQPJjGkmtmE oGqnLM5KSuWso7ajhHlWoR5zQmVMqcWtig1iGa4OBXXKhvcu/+XCuv+KZSnSVBui TTiBemIz4/pzWaABQElyvb807g6WZstPvpkRzORWRai+Mzc/oGtP2Wcu1LLyRikb Jctt0W5xpjEKYKlQCYWUZK6NOvBjS9kxiCaBJO8R+B3OT9/zL/eXdWZ9m6gZrXT2 FPMv2nxUcOnKZw+NZu7htn5Reabd5rn5tCFdjYFsosPJIJWRKpLldRmftA9CosQd FYS7BTq5Yfrhx4SQbvaH5avcJc8QRtRJ8//CBMTyDl2Aj5JYyBkPMINOWgCDEUxN D3dKk/FPi1sRiVtokXzvOKItYR0FjVF8vmsjH1hDECRqynTr9JzDjpwA4qDvPI/G DPB0UMAyWglihOB+LdIAf96iSbW4Jbi1ltroWtm3FgGQRGgl4nmf2e4sruGXVwky 06oIRLcYemFogN3Pqnl7 =JXdI -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 9:48 PM, Chirag Dewan wrote: For this particular cipher, the server sends a RST to the client after the certificate exchange is done. And the handshaking fails,for the first time only. Second request onwards handshaking happens and the traffic flows as usual. What I understand is,I can provide a set of ciphers to the connector and the client will select from that particular set and can thus avoid the particular cipher. Technically speaking, the server selects the cipher given the list sent by the client and any restrictions the server has (e.g. using the ciphers list from your connector). It's very strange that the server would be selecting that (evidently missing) cipher in the first place (then failing) and then choosing it /again/ and succeeding. I must be missing something. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVUi4AAoJEBzwKT+lPKRYvn4P/AlheFMNQ/6b+tydwX6/YzlQ gbI20pnDMZV2+03lQB/3ACLNmWWkS4NbjW/6FeYfaN8yEZFMP0EwvnTkVye9VMaG RlGpgNjOsANruNrtmDT/frAIGjLQxQM+f+4Bjc+TGBSNAnjeoDnintDhEAcXHtpp NaL2H2IJMtXJrGBhfZ3z0xu1gYLY6+SCuSeilahl6uvMS1PU0s5KT0Nm3D8xIkeC L48yU+y0kVV9Ok2gojNPxCxKt6EJP+/WrR37q+H7LFCsfESKG8yYK72tBU0ex6Z2 mUinqnYcbLXTGrtWzuFJUGMUyJWpLeuZJii5McBtwqudOnbFWo8hbXPKj2IfEMMT FuSBJgLyVXAoZ51SrRYCOjYMy3tH2kB4FgHc43GWlxwznrHVgTeOUe5OQRiFpfa5 BDKCtEQF/xHUp9zE2BKpvieR1lCxUc+8zgJvThvFElGkvdenK0kgE1RgsgEf9cTv cgyr+PM6T8Yp99ngj69kfqvTt8tNfg8UUZVzHmUPj4zMEII9uKRElk26g31yiRf7 2FXguR1ANn2cbn6mDQvrE48LjfQ6Zupr6XWUXSBffenI3yyJdeueRc0BvrY4LUYH Yn2OVjd0NnITmqfDje03cDxtosGJTESUc+LtBK4eJUYftkSgGMxZmKE0tM+QucVM k0EQUBpo4cU/QqFZ6lyU =3uiN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi, The first request after the Server is started gets rejected. I am setting my connector as follows: IntrospectionUtils.setProperty( this, sslProtocol, TLS ); IntrospectionUtils.setProperty( this, keystore, keyStoreFile ); IntrospectionUtils.setProperty( this, keypass, keyStorePassword ); IntrospectionUtils.setProperty( this, SSLEnabled, true ); IntrospectionUtils.setProperty( this, ciphers, cipherSet ); This is my connector configuration. I am now setting cipher,as you can see. And it is selecting the specified cipher,so that way I can limit the cipher sets to be selected by Server. On Wednesday, 9 October 2013 5:45 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 9:48 PM, Chirag Dewan wrote: For this particular cipher, the server sends a RST to the client after the certificate exchange is done. And the handshaking fails,for the first time only. Second request onwards handshaking happens and the traffic flows as usual. What I understand is,I can provide a set of ciphers to the connector and the client will select from that particular set and can thus avoid the particular cipher. Technically speaking, the server selects the cipher given the list sent by the client and any restrictions the server has (e.g. using the ciphers list from your connector). It's very strange that the server would be selecting that (evidently missing) cipher in the first place (then failing) and then choosing it /again/ and succeeding. I must be missing something. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVUi4AAoJEBzwKT+lPKRYvn4P/AlheFMNQ/6b+tydwX6/YzlQ gbI20pnDMZV2+03lQB/3ACLNmWWkS4NbjW/6FeYfaN8yEZFMP0EwvnTkVye9VMaG RlGpgNjOsANruNrtmDT/frAIGjLQxQM+f+4Bjc+TGBSNAnjeoDnintDhEAcXHtpp NaL2H2IJMtXJrGBhfZ3z0xu1gYLY6+SCuSeilahl6uvMS1PU0s5KT0Nm3D8xIkeC L48yU+y0kVV9Ok2gojNPxCxKt6EJP+/WrR37q+H7LFCsfESKG8yYK72tBU0ex6Z2 mUinqnYcbLXTGrtWzuFJUGMUyJWpLeuZJii5McBtwqudOnbFWo8hbXPKj2IfEMMT FuSBJgLyVXAoZ51SrRYCOjYMy3tH2kB4FgHc43GWlxwznrHVgTeOUe5OQRiFpfa5 BDKCtEQF/xHUp9zE2BKpvieR1lCxUc+8zgJvThvFElGkvdenK0kgE1RgsgEf9cTv cgyr+PM6T8Yp99ngj69kfqvTt8tNfg8UUZVzHmUPj4zMEII9uKRElk26g31yiRf7 2FXguR1ANn2cbn6mDQvrE48LjfQ6Zupr6XWUXSBffenI3yyJdeueRc0BvrY4LUYH Yn2OVjd0NnITmqfDje03cDxtosGJTESUc+LtBK4eJUYftkSgGMxZmKE0tM+QucVM k0EQUBpo4cU/QqFZ6lyU =3uiN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/9/13 8:39 AM, Chirag Dewan wrote: The first request after the Server is started gets rejected. Interesting. I am setting my connector as follows: IntrospectionUtils.setProperty( this, sslProtocol, TLS ); IntrospectionUtils.setProperty( this, keystore, keyStoreFile ); IntrospectionUtils.setProperty( this, keypass, keyStorePassword ); IntrospectionUtils.setProperty( this, SSLEnabled, true ); IntrospectionUtils.setProperty( this, ciphers, cipherSet ); This is my connector configuration. I am now setting cipher,as you can see. And it is selecting the specified cipher,so that way I can limit the cipher sets to be selected by Server. What is the value of cipherSet? Perhaps you could share some /more/ code... the above for instance doesn't show how you initialize the connector, attach it to the container, etc. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVV5IAAoJEBzwKT+lPKRYhOcP/RMB6jViNpnHboLKWMpxGZmi OhfaT3GOKmjgaN/lbKZJV5tj3Y3Sb4MrYJzybw0FRUwpkmnK0Y9YgcmiizkTRuTr Qn8axJovAYODi//PBopUuDFcM+ecqYaN7CfUVk+x7UfBDgEXtsbMqFC34BOAS4EL KwZxG1ZAsiy6Wcz2RtEqBmioHRFJFP6uyxDvgQEZL90niNtAz+tnc3ut9gVZdZt7 mRl6gEfczWTMKwRYNcE2ltXbAeDjRT1dWEShjHcf7ybawA72lxdxoc8S1iWmZBJ5 ULTdwbwIOmepbUyGT5KioXt7/uENXYElzBqnO4O6lceg0bofcub8d12JNjHUA+bD YbVHwSRkG9sjM7aou1xmK/JD6zRUbVbuBVg8HYsHZYcN5S0GEolfLlDiaz0vF6iS 56B0aYwTvBm/+KF+FPFPv/Nj+rPV0ukhE145MbHELN8rzfTbcP2m0q/dyUdddOa/ GY79VjXPevqlVUmiIlahx+woVJzpWq2pdG3AckPP0ZXehP/X4WjSmCgT+xATmg33 K88mqGgaU3zJnBpUUWe1mkUy8K0tVBSUuGNlivkHXxabY16Lci+kCsoveaVivTtp RLhTQ+eryoudQb5wGY6OWQKLdIwm8vTBQ7HArrq2OePy6tzqY/8vjKWqKXn7Byn9 FhmxAFdo+ulfNChxVIC4 =JFmk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi,
I have a wrapper connector class :
public HTTPConnector(int port, String keystoreFile, String password, int
maxKeepAliveRequests, int maxThreads, int connectionTimeout, Logger logger)
throws Exception
{
myLogger = logger;
this.keyStoreFile = keystoreFile;
this.keyStorePassword = password;
if( maxKeepAliveRequests != 0 maxKeepAliveRequests = -1 )
{
IntrospectionUtils.setProperty( this, maxKeepAliveRequests,
String.valueOf( maxKeepAliveRequests ) );
}
if( maxThreads 0 )
{
IntrospectionUtils.setProperty( this, maxThreads, String.valueOf(
maxThreads ) );
}
InetAddress address = null;
try
{
if( keystoreFile != null )
{
String cipherSet = System.getProperty(https.cipher.set);
setSecure( true );
if( myLogger.isLoggable( Level.FINER ) ) myLogger.finer(
EmbeddedTomcat using HTTPS and cipher sets + cipherSet );
setScheme( https );
try
{
// Added TLS since there is a bug in Tomcat 5.5.9. No
default protocol is set.
IntrospectionUtils.setProperty( this, sslProtocol, TLS
);
IntrospectionUtils.setProperty( this, keystore,
keyStoreFile );
IntrospectionUtils.setProperty( this, keypass,
keyStorePassword );
IntrospectionUtils.setProperty( this, SSLEnabled, true
);
if(cipherSet != null !cipherSet.equalsIgnoreCase()){
IntrospectionUtils.setProperty( this, ciphers,
cipherSet );
}
}
catch( Exception exception )
{
myLogger.severe( Could not load SSL server socket
factory. );
throw new Exception( Could not load SSL server socket
factory. );
}
}
else
{
setSecure( false );
}
address = InetAddress.getLocalHost();
if( address != null )
{
IntrospectionUtils.setProperty( this, address, + address );
}
IntrospectionUtils.setProperty( this, port, + port );
IntrospectionUtils.setProperty( this, connectionTimeout,
String.valueOf((connectionTimeout * 1000)) );
}
catch( Exception exception )
{
myLogger.severe( Exception occurred while making HTTP Connector.
);
throw new Exception( Exception occurred while making HTTP
Connector. );
}
try
{
setEnableLookups( false );
}
catch( Exception exception )
{
myLogger.severe( Exception occurred while enabling lookups. );
throw new Exception( Exception occurred while enabling lookups.
);
}
}
and I attach it to the container by :
Embedded embedded = new Embedded();
embedded.addConnector( connector );
connector.start();
and I call embedded.start(); during intialization,so I have the Tomcat running.
Chris,cipherSet is a configurable parameter. I am usually using
TLS_DHE_RSA_WITH_AES_128_CBC_SHA for testing purpose.
Thanks!
Chirag
On Wednesday, 9 October 2013 7:17 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chirag,
On 10/9/13 8:39 AM, Chirag Dewan wrote:
The first request after the Server is started gets rejected.
Interesting.
I am setting my connector as follows:
IntrospectionUtils.setProperty( this, sslProtocol, TLS );
IntrospectionUtils.setProperty( this, keystore, keyStoreFile );
IntrospectionUtils.setProperty( this, keypass, keyStorePassword
); IntrospectionUtils.setProperty( this, SSLEnabled, true );
IntrospectionUtils.setProperty( this, ciphers, cipherSet );
This is my connector configuration. I am now setting cipher,as you
can see. And it is selecting the specified cipher,so that way I
can limit the cipher sets to be selected by Server.
What is the value of cipherSet?
Perhaps you could share some /more/ code... the above for instance
doesn't show how you initialize the connector, attach it to the
container, etc.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSVV5IAAoJEBzwKT+lPKRYhOcP/RMB6jViNpnHboLKWMpxGZmi
OhfaT3GOKmjgaN/lbKZJV5tj3Y3Sb4MrYJzybw0FRUwpkmnK0Y9YgcmiizkTRuTr
Qn8axJovAYODi//PBopUuDFcM+ecqYaN7CfUVk+x7UfBDgEXtsbMqFC34BOAS4EL
KwZxG1ZAsiy6Wcz2RtEqBmioHRFJFP6uyxDvgQEZL90niNtAz+tnc3ut9gVZdZt7
mRl6gEfczWTMKwRYNcE2ltXbAeDjRT1dWEShjHcf7ybawA72lxdxoc8S1iWmZBJ5
ULTdwbwIOmepbUyGT5KioXt7/uENXYElzBqnO4O6lceg0bofcub8d12JNjHUA+bD
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Chirag,
I have a bunch of non-SSL-related questions about your code.
On 10/9/13 9:59 AM, Chirag Dewan wrote:
I have a wrapper connector class :
public HTTPConnector(int port, String keystoreFile, String
password, int maxKeepAliveRequests, int maxThreads, int
connectionTimeout, Logger logger) throws Exception { myLogger =
logger; this.keyStoreFile = keystoreFile; this.keyStorePassword =
password;
if( maxKeepAliveRequests != 0 maxKeepAliveRequests = -1 ) {
IntrospectionUtils.setProperty( this, maxKeepAliveRequests,
String.valueOf( maxKeepAliveRequests ) ); }
What's wrong with calling
this.setMaxKeepAliveRequests(maxKeepAliveRequests)?
It seems like you have way more code than necessary in this class.
if( keystoreFile != null ) { String cipherSet =
System.getProperty(https.cipher.set);
setSecure( true );
Here, you're using this.serSecure(true) instead of using
IntrospectionUtils. Why some settings via IntrospectionUtils and
others with direct method calls?
setScheme( https );
try { // Added TLS since there is a bug in Tomcat 5.5.9. No default
protocol is set. IntrospectionUtils.setProperty( this,
sslProtocol, TLS ); IntrospectionUtils.setProperty( this,
keystore, keyStoreFile ); IntrospectionUtils.setProperty( this,
keypass, keyStorePassword ); IntrospectionUtils.setProperty(
this, SSLEnabled, true ); if(cipherSet != null
!cipherSet.equalsIgnoreCase()){
It might be worth calling trim() on the cipherSet value before
checking for equality with . Using ignore case on an empty string
is not going to add anything, FYI.
catch( Exception exception ) { myLogger.severe( Could not load SSL
server socket factory. ); throw new Exception( Could not load SSL
server socket factory. ); }
How about just throw exception;... any reason to completely swallow
the original exception and throw a new one? That just seems confusing.
This constructor seems much more appropriate to be a factory method
instead of a constructor for a class that trivially extends the
existing Connector. With a factory, you could also choose the type of
connector to use instead of having to extend a specific one (e.g. NIO
vs. BIO, etc.).
and I attach it to the container by :
Embedded embedded = new Embedded();
embedded.addConnector( connector ); connector.start();
and I call embedded.start(); during intialization,so I have the
Tomcat running.
Chris,cipherSet is a configurable parameter. I am usually using
TLS_DHE_RSA_WITH_AES_128_CBC_SHA for testing purpose.
That all seems fairly straightforward. I have no idea why SSL would be
acting up, there.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSVXjbAAoJEBzwKT+lPKRYdpYP/jJfmjmJunQ6vGpuVuEQuRqd
lmAE3IflDuubcTls6XHyGrR2CM1X/3ALuu3ISm6HiRMsqACJ8EYLvOYcp821uom6
y7Gy21DkjUg7T51X1QjBQVvpt8LtKGmsQeGxmYZN91gNYJG8MFQaugPn3GDbDpVj
f8WQgDwUG5JYrKtHY1MF+neDEUkkz3xUjlTak5S2YEFi4o2wF6bCigexVUavae4v
gZgCtoTmcBhyWL/t4M0/BaAm7PdNce7GGHDl1/+yZS6rlvMC8wlxxPNCicROHySo
lTirs5boNlIVJuAXqf3pEequk+IowtoZD6Dix+Y90YX0DlExVnTkPY86n7A4QQUK
3lxvWOjjbsJn8hY4Pq8RjR64uTi/Exy6qczTeJmDVu3sY+KhtpZ1Ez+sMlCHNrHP
KlNKFEwtnO97hxZBzBUiiLl+6nMWxpWoGRXeMqYozNg6qxV2bzG3q141I5OmHjs5
fu/kGtHHZFkNIXgsxpdo/w3chSLLUFY6AtCIQdBeQ6A36Kei6ccyw1vWZL6kfLJT
UK51b+27kOpgW085dnfUncUx4bQoUrEo9+aCbRJBRbj233CMI+LOQCh+VLJqu4K+
vnlNMY2SZchSHwyoYGTCeYNg9GB9TbPjFI6T7Hq+cDdYI0hONS545ohfFojCaa8F
szV4iCbcDwgJDOrFDG1w
=g/8J
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chris, This is a legacy code and do need some tweaks for sure. Regarding the issue,for some other Cipher as well the handshaking is failing. I get a TCP_ZERO_WINDOW in my snoops. And thus resulting in Server sending a RST to client. Chirag Sent from Yahoo! Mail on Android
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi , A small update. The customers client is C++ client,which uses OpenSSL. And I found that client hello message is SSLv2 protocol. And the server response(server hello) is a TLSv1 protocol. Is there something I am missing? Chirag On Wednesday, 9 October 2013 9:25 PM, Chirag Dewan chirag.dewa...@yahoo.in wrote: Chris, This is a legacy code and do need some tweaks for sure. Regarding the issue,for some other Cipher as well the handshaking is failing. I get a TCP_ZERO_WINDOW in my snoops. And thus resulting in Server sending a RST to client. Chirag Sent from Yahoo! Mail on Android
Issue while using SSL with Embedded Tomcat 6.0.37
Hi All, I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. From second request,handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cypher suite,only then the Server sends a reset to the client and the handshaking fails. On second request,with same cypher suite,it works fine. Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cypher suite? Or any other way that I can resolve this issue. Thanks a lot. Chirag Dewan
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chirag Dewan wrote: Hi All, I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. I cannot answer your question, but I think that in order to be helped faster, it would be a good idea to paste here your Tomcat SSL Connector configuration : ... Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. From second request,handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cypher suite,only then the Server sends a reset to the client and the handshaking fails. On second request,with same cypher suite,it works fine. Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cypher suite? Or any other way that I can resolve this issue. Thanks a lot. Chirag Dewan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chirag, On 10/8/13 6:01 AM, Chirag Dewan wrote: I am using Embedded Tomcat 6.0.37. I have a servlet which is running over HTTPS using SSL Connector. I have a Java Keystore with Customer Certificate imported in it. Now,there is a HTTP Client on the customers end which connects with the servlet over HTTPS(I have very little information about the customers client configuration) The problem we are facing is: For the first request from Client,the SSL handshaking fails. How, specifically? What do you observe on the server? What do you observe on the client? From second request, handshaking is completed successfully and the requests are processed. I have observed when Server selects TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite, only then the Server sends a reset to the client and the handshaking fails. On second request, with same cipher suite,it works fine. So the first request and second request seem to both negotiate the same cipher suite (TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) but the first one fails? Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cipher suite? Or any other way that I can resolve this issue. See the Connector documentation, specifically the cipherSuites attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. See this thread in the archives for a short program that will dump-out the available cipher suites and indicates which ones are available by default in your environment (note that the results will change for every different version of Java you use): http://markmail.org/message/zn4namfhypyxum23 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSVCdnAAoJEBzwKT+lPKRYM9cP/3GztDeXBYguwJ/Q+YBnNSea NzEQuJXFmaSJhhhCP4NMrHz0Fq4zZlKu9khxicK4gwcfGuCZ0i2BkNx1jZh9wgOF aedSeZinpXtF5L+EiWUCm9Xz2yPHuX40+VIaW9X4/TfG+DMcDVvFFAH1onjHQ5im KECrmK5ratXmVfm9o37SrXItoqNFLqk70mxcZlVec40fp7nu3Bn2ReMIKcSCSXcb Sr97cHlRD8yMBqTn42RNTSzfFfJ/5TFNzmwXzlrSJcWO+6mpKYmXXdbJc3voNd3W e+ZWmJQheJEVm6n86z2PMqwJyBtaiNFRxOxbeXHtU1BwemhSAP1EVPtZSUKQ5k+4 vHbZ4CfhuSgM6IaoTZjqqZkvch4POTLUWPArFJeEyOS8p9vayNoVhFectMtutR4O zHxanjckpCgJYp5w82jRaZ4Xs9SojTedHn6gSElxZK94fg9H4dL6g43h+zSpnuJC 0KF4U47FMklZJBikjDXbkcH3YY8Bd+e+5JMl2Uu+TyjG12Cj6wxyOKM4ubAF7pMO IZbs9WEgHx2Oj515RgFNQGF8uXLysLo4uBiCbTEvFQ3T/eGrSzvYi6kLKi/izPuc TbSYcS1UEAiRKABPMRbUKDqmD6IOTOjbR66lamwTzNFvsyH+BhoaB1RVHy9TUC2U YicDQSfyb9kfCnANiGwR =pYDx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Chris, On 8.10.2013 17:40, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Can anyone assist me in understanding why it is failing for the first time? And is there any way I can force the Tomcat not to select this cipher suite? Or any other way that I can resolve this issue. See the Connector documentation, specifically the cipherSuites attribute. Unfortunately, Tomcat's cipherSuites configuration is only explicit... you can't say something like defaults without TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. I guess you mean ciphers (for BIO and NIO connectors) and SSLCipherSuite (for APR connector). Here are examples for both. E.g.1. ciphers=SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 E.g.2. SSLCipherSuite=EDH+aRSA:3DES:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue while using SSL with Embedded Tomcat 6.0.37
Hi, For this particular cipher, the server sends a RST to the client after the certificate exchange is done. And the handshaking fails,for the first time only. Second request onwards handshaking happens and the traffic flows as usual. What I understand is,I can provide a set of ciphers to the connector and the client will select from that particular set and can thus avoid the particular cipher. Can I do this in embedded tomcat? And what set of ciphers should I allow with that connector? Thanks! Chirag Sent from Yahoo! Mail on Android
