Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-05 Thread Sanaullah
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in
tomcat 7.0.47 or just trying them-self to look over smart.

Hi Mudassir,

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(0003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDH-ECDSA-AES256-GCM-SHA384
Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
Session-ID-ctx:
Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...V..IQ
0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.;m.
0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
..T#.9-Z..^!
0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*
0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ..w'
..
0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.h.^..=rFV.
0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oWR...f..
00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
...5.F...7.H

Start Time: 1388926368
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0


/***Server.xml***///

 Connector port=8443

protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   SSLProtocol=all
   clientAuth=false
   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /



How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run ant in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Mudassir Aftab
Here is my test with latest openssl and tomcat

Tools:
openssl:  1.0.1e
apache-tomcat-7.0.47
apr-1.5.0.
tomcat-native-1.1.29

Connector:

Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   clientAuth=false
   SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/opt/misc/certs/ca.pem
   SSLCertificateKeyFile=/opt/misc/certs/k.key /

Tomcat Logs:
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-apr-8009]
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3580 ms
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8443]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8080]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [ajp-apr-8009]
Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start


Verification Tests:
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1
-cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(0003)
3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers
available:s3_clnt.c:754:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: 
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1388841094
Timeout   : 7200 (sec)
Verify return code: 0 (y)
---
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher
ECDHE-ECDSA-AES128-SHA256
CONNECTED(0003)
3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers
available:s23_clnt.c:486:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---



On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers its_toas...@yahoo.com wrote:

 On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:

 From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE:
 TLS is not working in 6.0.37, 7.0.42, 7.0.47


  Again, we have to submit this as a bug.TLS 1.2 is not working
 in Tomcat


 The only evidence you have provided is that your single chosen cipher
 is not implemented by the version of Firefox you're using - which has
 nothing to do with Tomcat.  The TCP capture you provided is just text
 rather than a useful .pcap file, and no one's going to waste their
 time digging through raw bits when any decent protocol analyzer would
 do the job automatically.

 - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
 PROPRIETARY MATERIAL and is thus for use only by the intended
 recipient. If you received this in error, please contact the sender
 and delete the e-mail and its attachments from all

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mudassir,

On 1/2/14, 7:41 PM, Mudassir Aftab wrote:
 Thanks for keep replying,  is there any way to restrict the cipher
 suite in the connector configuration?
 
 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CB
 C
-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5

Read
 
the documentation for Connector.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyGYEAAoJEBzwKT+lPKRYG4oQAICufit/CN+CP7QRId3/VceB
qkgPX6Ukl3CAsjjQVytXG60BpuHro/wN15e5qDtFigOlwb1ysPseKX8DwMuLeTqi
xww4aF4nnKt0MauxdD0+hgL404+PbxcC5w6DnHCxMgKSPtYxBY7ocBFMijpKvpzW
cudkLrCiJnu8RTtKBbZc2YX8Caw/oeNOFiMnj4YnUUkV6IGSEonbgp7gRrt6YzBr
EVHTXDN4aA05gV+Z4dF1jBSTveTe33FRwehraCVgGAJoumVVzQWiP8NwYLYLfl0B
/SRm6wSVoWbqQaAuKBZ/tcyN4UczjHficAsSNtViHaJ5JDD05sKWMurA+rGcicZc
PBRqRlbjk1sttQlsjVZwbAfMBGRUuc3Kqaxr5jcO+Clr66zYtLcy8jUiQeHmUTX2
pB7o9T91a3XG613Pl/BiQlAvF2kUtxRC2+AdFsMNX0cnh+vUATCqQTnyHwunYC2M
SDVL4yuSf0ffU2zBIamcTP49VzrCveriEG4Z0qTxkYR2IocylMK0hugtZXuWoQ2V
2D6fBf31oejaIYTqow9J9cEL6JsJPHDuAsImiLpLQdoNicICNc0cHPZBVfzH/iq0
SOKSzD+qeCjEfYHcLS57qmo/aThRwtIJRiYV4GEJM9iHmWzC8ugPV3Gq0GYOe71C
sEbS52NxV4lJUN7rdGuk
=ROfe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chuck,

On 1/3/14, 12:32 PM, Caldarale, Charles R wrote:
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re:
 TLS is not working in 6.0.37, 7.0.42, 7.0.47
 
 Connector port=8443 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 maxThreads=200 clientAuth=false 
 *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256*
 
 Why are there asterisks on that config line?  Remove them if
 they're actually present.  Don't try to get cute with formatting
 tricks like bolding text, since this is a plaintext mailing list.
 
 Jan 03, 2014 5:09:49 PM
 org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
 OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
 
 You need to update the OpenSSL version to 1.0.1e, which contains
 fixes for TLS 1.1 and 1.2 negotiation.  Once that's installed (and
 tcnative rebuilt), verify that the desired cipher is available with
 the openssl ciphers command.
 
 You also need to confirm that your client is capable of TLSv1.2
 using the above cipher.  As stated before, getting a Wireshark or
 tcpdump trace of the negotiation would show what the client
 allows.

+1

You might want to look at sslscan, or use
https://www.ssllabs.com/ssltest/index.html to test your server. It can
tell you what ciphers are supported, etc. even if your client is
misbehaving.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSyGbmAAoJEBzwKT+lPKRYKg0P/RuZTz7GvueQubDpJHKddZS4
XTYvhSsW9SV2XvXMztBZWWB0NS0D9sRS98d5cdCndbY5LDfzvKLZZwHokR8XKP0N
JmVSvavkcpF3Sro6bayJrcholFhG7pZbsYmRULZKZREwKASzEoOAPcye4HyyjavD
VTUDqitJWLpCXjyuoxNQWCV+OieHy9oOwbTDs6cZgfvJcS2uHOhwmTaZBwxadvJV
E1JfxoXQghXlszDemY/ynbdCiX5NVqaeoNwzSYNshvusGdUoupr0/qQ2Zvd+hWt+
lPUxWZxftfRvLHmASDQPniAieCihDQLufnhFf0k82APlNaOgX+OTkqViOO5ceSin
H0bVA607b/mlUdf9WWmkydpWZdwH8ikiXUkJcNn1kzATaFRnnxnq1ID+A7efKqS1
byAZ1/3Bm7kpTQgcoiJenbfHxgtxZwrksfODl9c+HM54R7y/eUNYLjouoX47d3pb
CeYsYqhQmJtdYSF0Q2bRAlRBl9G8FBjXKhRAnDnkDc6V8FeYk2q/ege5ggrYYJUI
EJjKxmZwOEz3MfX7T8fkYFHCQ0JF7+tSkKpDJDhWV/yXjCvMLJOE4eY1I15byuzC
6StssnHyusbflJTEg8D9qx4WcUgWYeRn/hyQmeU99+RwNhkP/hhPWH3LgA6gcz57
eKjZ56wJPsVmVVGerp2f
=2O14
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
 Again, we have to submit this as a bug.TLS 1.2 is not working
 in Tomcat

Tomcat 7.0.74
Oracle Java 1.7.0_45
tcnative 1.1.29 trunk (essentially 1.2.29

tcnative$ make clean
tcnative$ ./configure --with-apr=`which apr-config`
- --with-java-home=/usr/local/java-7 --with-ssl
tcnative$ time make
[...]
make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real0m14.790s
user0m15.300s
sys 0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...]
   Connector port=8218
   protocol=org.apache.coyote.http11.Http11AprProtocol
   SSLEnabled=true
   secure=true
   scheme=https
   SSLCertificateKeyFile=[...]
   SSLCertificateFile=[...]
   SSLCertificateChainFile=[...]
   SSLProtocol=all
   executor=tomcatThreadPool
   URIEncoding=UTF-8 /
[...]

tomcat$ bin/startup.sh

[...]
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
version 1.4.6.
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218
[...]
verify error:num=19:self signed certificate in certificate chain
[...]
SSL-Session:
Protocol  : TLSv1.2
Cipher: DHE-RSA-AES256-GCM-SHA384
[...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol=all is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from all to TLSv1:

   Connector port=8218
   protocol=org.apache.coyote.http11.Http11AprProtocol
   SSLEnabled=true
   secure=true
   scheme=https
   SSLCertificateKeyFile=[...]
   SSLCertificateFile=[...]
   SSLCertificateChainFile=[...]
   SSLProtocol=TLSv1
   executor=tomcatThreadPool
   URIEncoding=UTF-8 /

* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218
[...]
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
[...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256


Yup. Let's configure it in Tomcat:

   Connector port=8218
   protocol=org.apache.coyote.http11.Http11AprProtocol
   SSLEnabled=true
   secure=true
   scheme=https
   SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
   SSLCertificateKeyFile=[...]
   SSLCertificateFile=[...]
   SSLCertificateChainFile=[...]
   SSLProtocol=TLSv1
   executor=tomcatThreadPool
   URIEncoding=UTF-8 /


$ openssl s_client -connect myhost:8218
CONNECTED(0003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218
CONNECTED(0003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(0003)
140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(0003)
139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:

Firefox also fails with ssl_error_no_cypher_overlap.

$ $ sslscan myhost:8218
   _
   ___ ___| |___  ___ __ _ _ __
  / __/ __| / __|/ __/ _` | '_ \
  \__ \__ \ \__ \ (_| (_| | | | |
  |___/___/_|___/\___\__,_|_| |_|

  Version 1.8.2
 http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009

Testing SSL server myhost on port 8218

  Supported Server Cipher(s):
FailedSSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
FailedSSLv3  256 bits  ECDHE-RSA-AES256-SHA384
FailedSSLv3  256 bits  ECDHE-ECDSA-AES256-SHA384

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/4/14, 4:08 PM, Christopher Schultz wrote:
 Musassir,
 
 On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
 Again, we have to submit this as a bug.TLS 1.2 is not
 working in Tomcat
 
 Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
 (essentially 1.2.29
 
 tcnative$ make clean tcnative$ ./configure --with-apr=`which
 apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
 time make [...] make[1]: Leaving directory 
 `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
 real  0m14.790s user  0m15.300s sys   0m1.840s
 
 tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
 tcnative$ cd $CATALINA_BASE
 
 tomcat$ cat conf/server.xml
 
 [...] Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=all 
 executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
 tomcat$ bin/startup.sh
 
 [...] Jan 04, 2014 3:17:26 PM
 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
 based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. 
 Jan 04, 2014 3:17:26 PM
 org.apache.catalina.core.AprLifecycleListener init INFO: APR
 capabilities: IPv6 [true], sendfile [true], accept filters [false],
 random [true]. Jan 04, 2014 3:17:26 PM
 org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
 OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) 
 [...]
 
 tomcat$ openssl s_client -connect myhost:8218 [...] verify
 error:num=19:self signed certificate in certificate chain [...] 
 SSL-Session: Protocol  : TLSv1.2 Cipher:
 DHE-RSA-AES256-GCM-SHA384 [...]
 
 *disconnect*
 
 I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect 
 using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
 
 Looks like TLS1.2 works just fine in the default configuration 
 (SSLProtocol=all is the default).
 
 Let's try your configuration. I'm only going to change SSLProtocol 
 from all to TLSv1:
 
 Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=TLSv1 
 executor=tomcatThreadPool URIEncoding=UTF-8 /
 
 * Restart Tomcat*
 
 tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: 
 Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA [...]
 
 Trying again with Firefox 26 give me 
 cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
 
 Let's try restricting to only your cipher. Let's make sure that my 
 OpenSSL version supports it, first:
 
 tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 
 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
 Enc=AES(128) Mac=SHA256
 
 
 Yup. Let's configure it in Tomcat:
 
 Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=TLSv1 
 executor=tomcatThreadPool URIEncoding=UTF-8 /
 
 
 $ openssl s_client -connect myhost:8218 CONNECTED(0003) 
 139718306563752:error:14077410:SSL 
 routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure:s23_clnt.c:741:
 
 $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 
 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 
 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 
 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl 
 handshake failure:s3_pkt.c:596:
 
 $ openssl s_client -tls1_1 -connect myhost:8218 
 CONNECTED(0003) 140680041133736:error:1408F10B:SSL
 routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
 
 $ openssl s_client -tls1_2 -connect myhost:8218 
 CONNECTED(0003) 139976873068200:error:1408F10B:SSL
 routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
 
 Firefox also fails with ssl_error_no_cypher_overlap.
 
 $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
 __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | 
 |___/___/_|___/\___\__,_|_| |_|
 
 Version 1.8.2 http://www.titania.co.uk Copyright Ian
 Ventura-Whiting 2009
 
 Testing SSL server myhost on port 8218
 
 Supported Server Cipher(s): FailedSSLv3  256 bits
 ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
 ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
 ECDHE-RSA-AES256-SHA384 FailedSSLv3  256 bits
 ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
 ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
 ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
 SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
 SRP-RSA-AES-256-CBC-SHA FailedSSLv3  256 bits
 DHE-DSS-AES256-GCM-SHA384 FailedSSLv3  256 bits
 DHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
 DHE-RSA-AES256-SHA256 FailedSSLv3  256 bits
 DHE-DSS-AES256-SHA256 Rejected  

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Mark Eggers

On 1/4/2014 1:18 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Musassir,

On 1/4/14, 4:08 PM, Christopher Schultz wrote:

Musassir,

On 1/3/14, 5:27 PM, Mudassir Aftab wrote:

Again, we have to submit this as a bug.TLS 1.2 is not
working in Tomcat


Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
(essentially 1.2.29

tcnative$ make clean tcnative$ ./configure --with-apr=`which
apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$
time make [...] make[1]: Leaving directory
`/home/cschultz/projects/tomcat-native-1.1.x/native'

real0m14.790s user  0m15.300s sys   0m1.840s

tcnative$ cp -d .libs/* $CATALINA_HOME/bin

tcnative$ cd $CATALINA_BASE

tomcat$ cat conf/server.xml

[...] Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true secure=true scheme=https
SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
SSLCertificateChainFile=[...] SSLProtocol=all
executor=tomcatThreadPool URIEncoding=UTF-8 / [...]

tomcat$ bin/startup.sh

[...] Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR
based Apache Tomcat Native library 1.1.30 using APR version 1.4.6.
Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener init INFO: APR
capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true]. Jan 04, 2014 3:17:26 PM
org.apache.catalina.core.AprLifecycleListener initializeSSL INFO:
OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
[...]

tomcat$ openssl s_client -connect myhost:8218 [...] verify
error:num=19:self signed certificate in certificate chain [...]
SSL-Session: Protocol  : TLSv1.2 Cipher:
DHE-RSA-AES256-GCM-SHA384 [...]

*disconnect*

I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

Looks like TLS1.2 works just fine in the default configuration
(SSLProtocol=all is the default).

Let's try your configuration. I'm only going to change SSLProtocol
from all to TLSv1:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true secure=true scheme=https
SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
SSLCertificateChainFile=[...] SSLProtocol=TLSv1
executor=tomcatThreadPool URIEncoding=UTF-8 /

* Restart Tomcat*

tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session:
Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA [...]

Trying again with Firefox 26 give me
cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

Let's try restricting to only your cipher. Let's make sure that my
OpenSSL version supports it, first:

tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AES(128) Mac=SHA256


Yup. Let's configure it in Tomcat:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true secure=true scheme=https
SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
SSLCertificateChainFile=[...] SSLProtocol=TLSv1
executor=tomcatThreadPool URIEncoding=UTF-8 /


$ openssl s_client -connect myhost:8218 CONNECTED(0003)
139718306563752:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:741:

$ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003)
139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40
139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:

$ openssl s_client -tls1_1 -connect myhost:8218
CONNECTED(0003) 140680041133736:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

$ openssl s_client -tls1_2 -connect myhost:8218
CONNECTED(0003) 139976873068200:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Firefox also fails with ssl_error_no_cypher_overlap.

$ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/ __| /
__|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|

Version 1.8.2 http://www.titania.co.uk Copyright Ian
Ventura-Whiting 2009

Testing SSL server myhost on port 8218

Supported Server Cipher(s): FailedSSLv3  256 bits
ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
ECDHE-RSA-AES256-SHA384 FailedSSLv3  256 bits
ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits
ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits
ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits
SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits
SRP-RSA-AES-256-CBC-SHA FailedSSLv3  256 bits
DHE-DSS-AES256-GCM-SHA384 FailedSSLv3  256 bits
DHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits
DHE-RSA-AES256-SHA256 FailedSSLv3  256 bits
DHE-DSS-AES256-SHA256 Rejected  SSLv3  256 bits
DHE-RSA-AES256-SHA Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 1/4/14, 6:37 PM, Mark Eggers wrote:
 On 1/4/2014 1:18 PM, Christopher Schultz wrote:
 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
 Musassir,
 
 On 1/4/14, 4:08 PM, Christopher Schultz wrote:
 Musassir,
 
 On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
 Again, we have to submit this as a bug.TLS 1.2 is not 
 working in Tomcat
 
 Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk 
 (essentially 1.2.29
 
 tcnative$ make clean tcnative$ ./configure --with-apr=`which 
 apr-config` --with-java-home=/usr/local/java-7 --with-ssl
 tcnative$ time make [...] make[1]: Leaving directory 
 `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
 real0m14.790s user0m15.300s sys0m1.840s
 
 tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
 tcnative$ cd $CATALINA_BASE
 
 tomcat$ cat conf/server.xml
 
 [...] Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=all 
 executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
 tomcat$ bin/startup.sh
 
 [...] Jan 04, 2014 3:17:26 PM 
 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
 APR based Apache Tomcat Native library 1.1.30 using APR version
 1.4.6. Jan 04, 2014 3:17:26 PM 
 org.apache.catalina.core.AprLifecycleListener init INFO: APR 
 capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true]. Jan 04, 2014 3:17:26 PM 
 org.apache.catalina.core.AprLifecycleListener initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
 2013) [...]
 
 tomcat$ openssl s_client -connect myhost:8218 [...] verify 
 error:num=19:self signed certificate in certificate chain
 [...] SSL-Session: Protocol  : TLSv1.2 Cipher: 
 DHE-RSA-AES256-GCM-SHA384 [...]
 
 *disconnect*
 
 I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can
 connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.
 
 Looks like TLS1.2 works just fine in the default configuration 
 (SSLProtocol=all is the default).
 
 Let's try your configuration. I'm only going to change
 SSLProtocol from all to TLSv1:
 
 Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=TLSv1 
 executor=tomcatThreadPool URIEncoding=UTF-8 /
 
 * Restart Tomcat*
 
 tomcat$ openssl s_client -connect myhost:8218 [...]
 SSL-Session: Protocol  : TLSv1 Cipher: DHE-RSA-AES256-SHA
 [...]
 
 Trying again with Firefox 26 give me 
 cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.
 
 Let's try restricting to only your cipher. Let's make sure that
 my OpenSSL version supports it, first:
 
 tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 
 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA 
 Enc=AES(128) Mac=SHA256
 
 
 Yup. Let's configure it in Tomcat:
 
 Connector port=8218 
 protocol=org.apache.coyote.http11.Http11AprProtocol 
 SSLEnabled=true secure=true scheme=https 
 SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 
 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] 
 SSLCertificateChainFile=[...] SSLProtocol=TLSv1 
 executor=tomcatThreadPool URIEncoding=UTF-8 /
 
 
 $ openssl s_client -connect myhost:8218 CONNECTED(0003) 
 139718306563752:error:14077410:SSL 
 routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
 failure:s23_clnt.c:741:
 
 $ openssl s_client -tls1 -connect myhost:8218
 CONNECTED(0003) 139965071759016:error:14094410:SSL
 routines:SSL3_READ_BYTES:sslv3 alert handshake
 failure:s3_pkt.c:1256:SSL alert number 40 
 139965071759016:error:1409E0E5:SSL
 routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
 
 $ openssl s_client -tls1_1 -connect myhost:8218 
 CONNECTED(0003) 140680041133736:error:1408F10B:SSL 
 routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
 
 $ openssl s_client -tls1_2 -connect myhost:8218 
 CONNECTED(0003) 139976873068200:error:1408F10B:SSL 
 routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
 
 Firefox also fails with ssl_error_no_cypher_overlap.
 
 $ $ sslscan myhost:8218 _ ___ ___| |___  ___ __ _ _ __ / __/
 __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | 
 |___/___/_|___/\___\__,_|_| |_|
 
 Version 1.8.2 http://www.titania.co.uk Copyright Ian 
 Ventura-Whiting 2009
 
 Testing SSL server myhost on port 8218
 
 Supported Server Cipher(s): FailedSSLv3  256 bits 
 ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3  256 bits 
 ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3  256 bits 
 ECDHE-RSA-AES256-SHA384 FailedSSLv3  256 bits 
 ECDHE-ECDSA-AES256-SHA384 Rejected  SSLv3  256 bits 
 ECDHE-RSA-AES256-SHA Rejected  SSLv3  256 bits 
 ECDHE-ECDSA-AES256-SHA Rejected  SSLv3  256 bits 
 SRP-DSS-AES-256-CBC-SHA Rejected  SSLv3  256 bits 
 SRP-RSA-AES-256-CBC-SHA FailedSSLv3  256 bits 
 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Sanaullah
you can create the ECC self singed certificates using the below two
commands of Openssl

openssl ecparam -out sinful.key -name prime256v1 -genkey
openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
-days 3650

root@ubuntu:/# openssl s_client -connect localhost:8443
CONNECTED(0003)
Server certificate
-BEGIN CERTIFICATE-
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-END CERTIFICATE-

---
SSL handshake has read 836 bytes and written 453 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: ECDH-ECDSA-AES256-SHA
Session-ID:
0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
Session-ID-ctx:
Master-Key:
7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
 - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
9._1x.f}G{..
0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
...%.7s.P..
0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
.Qb..m.6
0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
q^.4..[.
0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
\?m...;..6.?..U.
0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
H7s.u..(...|..6
0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
D13nQ.O^
0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
..{.i..w.:.j..0|
0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
...?..a.-XK.
0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
ILmV.U..'z?
00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
...Nw.h

Start Time: 1388891510
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---


I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

Here is my config
tomcat 7.0.47
libapr 1.5.0-1
tcnative 1.1.29-1

Connector port=8443
   SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   SSLProtocol=all
   SSLCertificateFile=/home/san/sinful.pem
   SSLCertificateKeyFile=/home/san/sinful.key /




On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mark,

 On 1/4/14, 6:37 PM, Mark Eggers wrote:
  On 1/4/2014 1:18 PM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Musassir,
 
  On 1/4/14, 4:08 PM, Christopher Schultz wrote:
  Musassir,
 
  On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not
  working in Tomcat
 
  Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
  (essentially 1.2.29
 
  tcnative$ make clean tcnative$ ./configure --with-apr=`which
  apr-config` --with-java-home=/usr/local/java-7 --with-ssl
  tcnative$ time make [...] make[1]: Leaving directory
  `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
  real0m14.790s user0m15.300s sys0m1.840s
 
  tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
  tcnative$ cd $CATALINA_BASE
 
  tomcat$ cat conf/server.xml
 
  [...] Connector port=8218
  protocol=org.apache.coyote.http11.Http11AprProtocol
  SSLEnabled=true secure=true scheme=https
  SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
  SSLCertificateChainFile=[...] SSLProtocol=all
  executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
  tomcat$ bin/startup.sh
 
  [...] Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
  APR based Apache Tomcat Native library 1.1.30 using APR version
  1.4.6. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities: IPv6 [true], sendfile [true], accept filters
  [false], random [true]. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener initializeSSL
  INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb
  2013) [...]
 
  tomcat$ openssl s_client -connect myhost:8218 [...] verify
  error:num=19:self signed 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Sanaullah
there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel
Ĺ ebek. may be that need to apply
https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1



On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah sanaulla...@gmail.com wrote:

 you can create the ECC self singed certificates using the below two
 commands of Openssl

 openssl ecparam -out sinful.key -name prime256v1 -genkey
 openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM
 -days 3650

 root@ubuntu:/# openssl s_client -connect localhost:8443
 CONNECTED(0003)
 Server certificate
 -BEGIN CERTIFICATE-
 MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
 TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
 YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
 MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
 VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
 hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
 +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
 FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
 JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
 X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
 EmVg3uQq9XxPfiI=
 -END CERTIFICATE-

 ---
 SSL handshake has read 836 bytes and written 453 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
 Server public key is 256 bit
 Secure Renegotiation IS supported

 Compression: NONE
 Expansion: NONE
 SSL-Session:
 Protocol  : TLSv1
 Cipher: ECDH-ECDSA-AES256-SHA
 Session-ID:
 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12
 Session-ID-ctx:
 Master-Key:
 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1

 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket lifetime hint: 7200 (seconds)
 TLS session ticket:
  - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de
 9._1x.f}G{..
 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e
 ...%.7s.P..
 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05
 .Qb..m.6
 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f
 q^.4..[.
 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4
 \?m...;..6.?..U.
 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36
 H7s.u..(...|..6
 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab
 D13nQ.O^
 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c
 ..{.i..w.:.j..0|
 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84
 ...?..a.-XK.
 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91
 ILmV.U..'z?
 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68
 ...Nw.h

 Start Time: 1388891510
 Timeout   : 300 (sec)
 Verify return code: 18 (self signed certificate)
 ---


 I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers

 Here is my config
 tomcat 7.0.47
 libapr 1.5.0-1
 tcnative 1.1.29-1

 Connector port=8443
SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false sslProtocol=TLS
SSLProtocol=all
SSLCertificateFile=/home/san/sinful.pem
SSLCertificateKeyFile=/home/san/sinful.key /




 On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mark,

 On 1/4/14, 6:37 PM, Mark Eggers wrote:
  On 1/4/2014 1:18 PM, Christopher Schultz wrote:
  -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
 
  Musassir,
 
  On 1/4/14, 4:08 PM, Christopher Schultz wrote:
  Musassir,
 
  On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not
  working in Tomcat
 
  Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk
  (essentially 1.2.29
 
  tcnative$ make clean tcnative$ ./configure --with-apr=`which
  apr-config` --with-java-home=/usr/local/java-7 --with-ssl
  tcnative$ time make [...] make[1]: Leaving directory
  `/home/cschultz/projects/tomcat-native-1.1.x/native'
 
  real0m14.790s user0m15.300s sys0m1.840s
 
  tcnative$ cp -d .libs/* $CATALINA_HOME/bin
 
  tcnative$ cd $CATALINA_BASE
 
  tomcat$ cat conf/server.xml
 
  [...] Connector port=8218
  protocol=org.apache.coyote.http11.Http11AprProtocol
  SSLEnabled=true secure=true scheme=https
  SSLCertificateKeyFile=[...] SSLCertificateFile=[...]
  SSLCertificateChainFile=[...] SSLProtocol=all
  executor=tomcatThreadPool URIEncoding=UTF-8 / [...]
 
  tomcat$ bin/startup.sh
 
  [...] Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: Loaded
  APR based Apache Tomcat Native library 1.1.30 using APR version
  1.4.6. Jan 04, 2014 3:17:26 PM
  org.apache.catalina.core.AprLifecycleListener init INFO: APR
  capabilities: 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Terence M. Bandoian
On 1/4/2014 3:08 PM, Christopher Schultz wrote:
 Musassir,

 On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not working
  in Tomcat

 Tomcat 7.0.74
 Oracle Java 1.7.0_45
 tcnative 1.1.29 trunk (essentially 1.2.29

 tcnative$ make clean
 tcnative$ ./configure --with-apr=`which apr-config`
 --with-java-home=/usr/local/java-7 --with-ssl
 tcnative$ time make
 [...]
 make[1]: Leaving directory
 `/home/cschultz/projects/tomcat-native-1.1.x/native'

 real0m14.790s
 user0m15.300s
 sys0m1.840s

 tcnative$ cp -d .libs/* $CATALINA_HOME/bin

 tcnative$ cd $CATALINA_BASE

 tomcat$ cat conf/server.xml

 [...]
Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=all
executor=tomcatThreadPool
URIEncoding=UTF-8 /
 [...]

 tomcat$ bin/startup.sh

 [...]
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
 version 1.4.6.
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
 [...]

 tomcat$ openssl s_client -connect myhost:8218
 [...]
 verify error:num=19:self signed certificate in certificate chain
 [...]
 SSL-Session:
 Protocol  : TLSv1.2
 Cipher: DHE-RSA-AES256-GCM-SHA384
 [...]

 *disconnect*

 I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
 using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

 Looks like TLS1.2 works just fine in the default configuration
 (SSLProtocol=all is the default).

 Let's try your configuration. I'm only going to change SSLProtocol
 from all to TLSv1:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=TLSv1
executor=tomcatThreadPool
URIEncoding=UTF-8 /

 * Restart Tomcat*

 tomcat$ openssl s_client -connect myhost:8218
 [...]
 SSL-Session:
 Protocol  : TLSv1
 Cipher: DHE-RSA-AES256-SHA
 [...]

 Trying again with Firefox 26 give me
 cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

 Let's try restricting to only your cipher. Let's make sure that my
 OpenSSL version supports it, first:

 tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
 Mac=SHA256


 Yup. Let's configure it in Tomcat:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=TLSv1
executor=tomcatThreadPool
URIEncoding=UTF-8 /


 $ openssl s_client -connect myhost:8218
 CONNECTED(0003)
 139718306563752:error:14077410:SSL
 routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
 failure:s23_clnt.c:741:

 $ openssl s_client -tls1 -connect myhost:8218
 CONNECTED(0003)
 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
 handshake failure:s3_pkt.c:596:

 $ openssl s_client -tls1_1 -connect myhost:8218
 CONNECTED(0003)
 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number:s3_pkt.c:337:

 $ openssl s_client -tls1_2 -connect myhost:8218
 CONNECTED(0003)
 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number:s3_pkt.c:337:

 Firefox also fails with ssl_error_no_cypher_overlap.

 $ $ sslscan myhost:8218
_
___ ___| |___  ___ __ _ _ __
   / __/ __| / __|/ __/ _` | '_ \
   \__ \__ \ \__ \ (_| (_| | | | |
   |___/___/_|___/\___\__,_|_| |_|

   Version 1.8.2
  http://www.titania.co.uk
 Copyright Ian Ventura-Whiting 2009

 Testing SSL server myhost on port 8218

   Supported Server Cipher(s):
 FailedSSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
 FailedSSLv3  256 bits  

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-04 Thread Terence M. Bandoian
On 1/4/2014 3:08 PM, Christopher Schultz wrote:
 Musassir,

 On 1/3/14, 5:27 PM, Mudassir Aftab wrote:
  Again, we have to submit this as a bug.TLS 1.2 is not working
  in Tomcat

 Tomcat 7.0.74
 Oracle Java 1.7.0_45
 tcnative 1.1.29 trunk (essentially 1.2.29

 tcnative$ make clean
 tcnative$ ./configure --with-apr=`which apr-config`
 --with-java-home=/usr/local/java-7 --with-ssl
 tcnative$ time make
 [...]
 make[1]: Leaving directory
 `/home/cschultz/projects/tomcat-native-1.1.x/native'

 real0m14.790s
 user0m15.300s
 sys0m1.840s

 tcnative$ cp -d .libs/* $CATALINA_HOME/bin

 tcnative$ cd $CATALINA_BASE

 tomcat$ cat conf/server.xml

 [...]
Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=all
executor=tomcatThreadPool
URIEncoding=UTF-8 /
 [...]

 tomcat$ bin/startup.sh

 [...]
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR
 version 1.4.6.
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init
 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
 [...]

 tomcat$ openssl s_client -connect myhost:8218
 [...]
 verify error:num=19:self signed certificate in certificate chain
 [...]
 SSL-Session:
 Protocol  : TLSv1.2
 Cipher: DHE-RSA-AES256-GCM-SHA384
 [...]

 *disconnect*

 I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect
 using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher.

 Looks like TLS1.2 works just fine in the default configuration
 (SSLProtocol=all is the default).

 Let's try your configuration. I'm only going to change SSLProtocol
 from all to TLSv1:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=TLSv1
executor=tomcatThreadPool
URIEncoding=UTF-8 /

 * Restart Tomcat*

 tomcat$ openssl s_client -connect myhost:8218
 [...]
 SSL-Session:
 Protocol  : TLSv1
 Cipher: DHE-RSA-AES256-SHA
 [...]

 Trying again with Firefox 26 give me
 cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA.

 Let's try restricting to only your cipher. Let's make sure that my
 OpenSSL version supports it, first:

 tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256
 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
 Mac=SHA256


 Yup. Let's configure it in Tomcat:

Connector port=8218
protocol=org.apache.coyote.http11.Http11AprProtocol
SSLEnabled=true
secure=true
scheme=https
SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
SSLCertificateKeyFile=[...]
SSLCertificateFile=[...]
SSLCertificateChainFile=[...]
SSLProtocol=TLSv1
executor=tomcatThreadPool
URIEncoding=UTF-8 /


 $ openssl s_client -connect myhost:8218
 CONNECTED(0003)
 139718306563752:error:14077410:SSL
 routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
 failure:s23_clnt.c:741:

 $ openssl s_client -tls1 -connect myhost:8218
 CONNECTED(0003)
 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
 alert handshake failure:s3_pkt.c:1256:SSL alert number 40
 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
 handshake failure:s3_pkt.c:596:

 $ openssl s_client -tls1_1 -connect myhost:8218
 CONNECTED(0003)
 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number:s3_pkt.c:337:

 $ openssl s_client -tls1_2 -connect myhost:8218
 CONNECTED(0003)
 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number:s3_pkt.c:337:

 Firefox also fails with ssl_error_no_cypher_overlap.

 $ $ sslscan myhost:8218
_
___ ___| |___  ___ __ _ _ __
   / __/ __| / __|/ __/ _` | '_ \
   \__ \__ \ \__ \ (_| (_| | | | |
   |___/___/_|___/\___\__,_|_| |_|

   Version 1.8.2
  http://www.titania.co.uk
 Copyright Ian Ventura-Whiting 2009

 Testing SSL server myhost on port 8218

   Supported Server Cipher(s):
 FailedSSLv3  256 bits  ECDHE-RSA-AES256-GCM-SHA384
 FailedSSLv3  256 bits  

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Hi,

Sorry for asking u same thing again and again, i have tried many things
from above document, but nothing works for me, also no errors in the log

   Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   clientAuth=false
   ciphers=ECDH-ECDSA-AES128-GCM-SHA256
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/pay/p.pem
   SSLCertificateKeyFile=/home/mudassir/p-key.pem
   SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

  SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256

I really appreciate your help


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread David kerber

On 1/3/2014 3:28 AM, Mudassir Aftab wrote:

Hi,

Sorry for asking u same thing again and again, i have tried many things
from above document, but nothing works for me, also no errors in the log

Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
maxThreads=200
clientAuth=false
ciphers=ECDH-ECDSA-AES128-GCM-SHA256
scheme=https secure=true SSLEnabled=true
SSLCertificateFile=/home/mudassir/pay/p.pem
SSLCertificateKeyFile=/home/mudassir/p-key.pem
SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

   SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256

I really appreciate your help



If what you list here is what is really in your config file, you're not 
proofreading your configuration entries very well.  You have 
SSLCipherSuite misspelled (two missing letters), and it's not inside the 
connector configuration entry.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Sanaullah
Hi Chuck.

I just also took interest to dig this issue.

The Document which you were referring
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
Attribute.

SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
TLSV1.

TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

I am happy to see if someone enabled below ciphers without enabling the
TLSv1.2

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384

Regards,
San





On Fri, Jan 3, 2014 at 12:59 PM, Mudassir Aftab withmudas...@gmail.comwrote:



 -- Forwarded message --
 From: Caldarale, Charles R chuck.caldar...@unisys.com
 Date: Fri, Jan 3, 2014 at 10:45 AM
 Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
 To: Tomcat Users List users@tomcat.apache.org


  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  Should i use following APR connector attribute ?
 Connector port=8443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 maxThreads=200
 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
 clientAuth=false
 ciphers=AES256-SHA256
 scheme=https secure=true SSLEnabled=true
 SSLCertificateFile=p.pem
 SSLCertificateKeyFile=key.pem
 SSLCACertificateFile=AdminCA1.pem /

 For the third time, the APR Connector has no sslProtocol nor
 sslEnabledProtocols attributes; the proper ones for specifying the protocol
 and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively.
  For the last time, read the doc:

 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

 (If you don't start paying attention to the responses you're getting, you
 will end up just being ignored.)

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
HI,

That was just typo error but on system it is fine and i am keep checking
logs, no warning in it

also what about following post

I just also took interest to dig this issue.

The Document which you were referring
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
Attribute.

SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
TLSV1.

TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

I am happy to see if someone enabled below ciphers without enabling the
TLSv1.2

 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384




On Fri, Jan 3, 2014 at 6:00 PM, David kerber dcker...@verizon.net wrote:

 On 1/3/2014 3:28 AM, Mudassir Aftab wrote:

 Hi,

 Sorry for asking u same thing again and again, i have tried many things
 from above document, but nothing works for me, also no errors in the log

 Connector port=8443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 maxThreads=200
 clientAuth=false
 ciphers=ECDH-ECDSA-AES128-GCM-SHA256
 scheme=https secure=true SSLEnabled=true
 SSLCertificateFile=/home/mudassir/pay/p.pem
 SSLCertificateKeyFile=/home/mudassir/p-key.pem
 SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256

 I really appreciate your help


 If what you list here is what is really in your config file, you're not
 proofreading your configuration entries very well.  You have SSLCipherSuite
 misspelled (two missing letters), and it's not inside the connector
 configuration entry.




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
also following setting is working for TLS v1 but not with TLS v1.2, so its
a bug !!! 



Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   clientAuth=false
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/certs/ca.pem
   SSLCertificateKeyFile=/home/mudassir/certs/k.key /



On Fri, Jan 3, 2014 at 6:56 PM, Mudassir Aftab withmudas...@gmail.comwrote:

 HI,

 That was just typo error but on system it is fine and i am keep checking
 logs, no warning in it

 also what about following post


 I just also took interest to dig this issue.

 The Document which you were referring
 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
 is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
 Attribute.

 SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3,
 TLSV1.

 TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
 TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl
 link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

 I am happy to see if someone enabled below ciphers without enabling the
 TLSv1.2

  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384




 On Fri, Jan 3, 2014 at 6:00 PM, David kerber dcker...@verizon.net wrote:

 On 1/3/2014 3:28 AM, Mudassir Aftab wrote:

 Hi,

 Sorry for asking u same thing again and again, i have tried many things
 from above document, but nothing works for me, also no errors in the log

 Connector port=8443
 protocol=org.apache.coyote.http11.Http11AprProtocol
 maxThreads=200
 clientAuth=false
 ciphers=ECDH-ECDSA-AES128-GCM-SHA256
 scheme=https secure=true SSLEnabled=true
 SSLCertificateFile=/home/mudassir/pay/p.pem
 SSLCertificateKeyFile=/home/mudassir/p-key.pem
 SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256

 I really appreciate your help


 If what you list here is what is really in your config file, you're not
 proofreading your configuration entries very well.  You have SSLCipherSuite
 misspelled (two missing letters), and it's not inside the connector
 configuration entry.




 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: David kerber [mailto:dcker...@verizon.net] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  Sorry for asking u same thing again and again, i have tried many things
  from above document, but nothing works for me, also no errors in the log
  Connector port=8443
  protocol=org.apache.coyote.http11.Http11AprProtocol
  maxThreads=200
  clientAuth=false
  ciphers=ECDH-ECDSA-AES128-GCM-SHA256
  scheme=https secure=true SSLEnabled=true
  SSLCertificateFile=/home/mudassir/pay/p.pem
  SSLCertificateKeyFile=/home/mudassir/p-key.pem
  SSLCACertificateFile=/home/mudassir/AdminCA1.pem /
 
 SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256

 If what you list here is what is really in your config file, you're not 
 proofreading your configuration entries very well.  You have 
 SSLCipherSuite misspelled (two missing letters), and it's not inside the 
 connector configuration entry.

Not to mention still having the ciphers attribute, which is not used with APR.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
then what could be the working config !!! , can u edit and send it to me ?

Regards,
Mudassir Aftab


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread David kerber

On 1/3/2014 11:18 AM, Mudassir Aftab wrote:

then what could be the working config !!! , can u edit and send it to me ?

Regards,
Mudassir Aftab



Go back and read this thread carefully.  There have been several errors 
pointed out to you which you haven't yet fixed.  Fix them (proofreading 
carefully!), test it, and if it still doesn't work, post your full config.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
*Connector Settings:*

Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   clientAuth=false
   *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256*
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/pay/p.pem
   SSLCertificateKeyFile=/home/mudassir/p-key.pem
   SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

*Tomcat Logs:*
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-apr-8009]
Jan 03, 2014 5:09:50 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2757 ms
Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 5:09:51 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 5:09:54 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8443]
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8080]
Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [ajp-apr-8009]



*Firefox Error: Version 26*

Secure Connection Failed

An error occurred during a connection to pay.upaga.net:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread David kerber

On 1/3/2014 12:14 PM, Mudassir Aftab wrote:

*Connector Settings:*

Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
maxThreads=200
clientAuth=false
*SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256*


Do you really have the asterisks around this in your config?



scheme=https secure=true SSLEnabled=true
SSLCertificateFile=/home/mudassir/pay/p.pem
SSLCertificateKeyFile=/home/mudassir/p-key.pem
SSLCACertificateFile=/home/mudassir/AdminCA1.pem /

*Tomcat Logs:*


snip




*Firefox Error: Version 26*

Secure Connection Failed

An error occurred during a connection to pay.upaga.net:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). (Error
code: ssl_error_no_cypher_overlap)


Does firefox support ECDHE-ECDSA-AES128-SHA256?  I don't know...



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 Connector port=8443
 protocol=org.apache.coyote.http11.Http11AprProtocol
maxThreads=200
clientAuth=false
*SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256*

Why are there asterisks on that config line?  Remove them if they're actually 
present.  Don't try to get cute with formatting tricks like bolding text, since 
this is a plaintext mailing list.

 Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)

You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 
1.1 and 1.2 negotiation.  Once that's installed (and tcnative rebuilt), verify 
that the desired cipher is available with the openssl ciphers command.

You also need to confirm that your client is capable of TLSv1.2 using the above 
cipher.  As stated before, getting a Wireshark or tcpdump trace of the 
negotiation would show what the client allows.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Hi,

I  just bold it from GMAIL :)


RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: Sanaullah [mailto:sanaulla...@gmail.com] 
 Subject: Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 The Document which you were referring
 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native,
 is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol
 Attribute.

TLSv1.1 and TLSv1.2 are included in TLSv1, when using the appropriate ciphers.

 TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and
 TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link.
 http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites

That's backwards; TLSv1.1 and TLSv1.2 are used automatically if TLSv1 is 
enabled and the client and server support v1.1 or v1.2 ciphers.

  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256
  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384
  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256
  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384

Those all appear to be supported in OpenSSL 1.0.1e.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Hi,

I am getting following error while compiling tomcat-native-1.1.29-src with
1.0.1e-3ubuntu1, shell i ignore this ?

src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_make':
src/sslcontext.c:77:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_client_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
  ^
src/sslcontext.c:79:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_server_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
  ^
src/sslcontext.c:81:17: warning: passing argument 1 of 'SSL_CTX_new' makes
pointer from integer without a cast [enabled by default]
 ctx = SSL_CTX_new(SSLv2_method());
 ^
In file included from
/opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0,
 from src/sslcontext.c:30:
/usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD
*' but argument is of type 'int'
 SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Hi ,

I have compiled tomcat-native-1.1.29-src.tar.gz with 1.0.1e-3ubuntu1 and
test it with fresh apache-tomcat-7.0.47.tar.gz. and with following
connector settings

Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   clientAuth=false
   SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/p.pem
   SSLCertificateKeyFile=/home/mudassir/p-key.pem
   SSLCACertificateFile=/home/mudassir/p/AdminCA1.pem /

Tomcat Logs:
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-apr-8009]
Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3189 ms
Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 8:25:55 PM org.apache.catalina.util.SessionIdGenerator
createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using
[SHA1PRNG] took [19,247] milliseconds.
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 8:25:56 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8443]
Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8080]
Jan 03, 2014 8:25:58 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [ajp-apr-8009]

Also attached TCP dump logs , I am again getting following error on FF26
with TLS 1.2 support
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
20:36:23.496965 IP 10.10.0.147.18938  example.com.8443: Flags [S], seq 
435979095, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:23.497066 IP example.com.8443  10.10.0.147.18938: Flags [S.], seq 
1576579154, ack 435979096, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
20:36:23.739969 IP 10.10.0.147.18938  example.com.8443: Flags [.], ack 1, win 
4098, length 0
20:36:24.023396 IP 10.10.0.147.18938  example.com.8443: Flags [P.], seq 1:202, 
ack 1, win 4098, length 201
20:36:24.023471 IP example.com.8443  10.10.0.147.18938: Flags [.], ack 202, 
win 237, length 0
20:36:24.023964 IP example.com.8443  10.10.0.147.18938: Flags [P.], seq 1:8, 
ack 202, win 237, length 7
20:36:24.024187 IP example.com.8443  10.10.0.147.18938: Flags [F.], seq 8, ack 
202, win 237, length 0
20:36:24.713659 IP 10.10.0.147.18938  example.com.8443: Flags [F.], seq 202, 
ack 8, win 4096, length 0
20:36:24.713726 IP example.com.8443  10.10.0.147.18938: Flags [.], ack 203, 
win 237, length 0
20:36:24.956342 IP 10.10.0.147.18939  example.com.8443: Flags [S], seq 
3315815756, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:24.956402 IP example.com.8443  10.10.0.147.18939: Flags [S.], seq 
3575233717, ack 3315815757, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], length 0
20:36:24.956415 IP 10.10.0.147.18938  example.com.8443: Flags [.], ack 9, win 
4096, length 0
20:36:25.225229 IP 10.10.0.147.18940  example.com.8443: Flags [S], seq 
821209259, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0
20:36:25.225278 IP example.com.8443  10.10.0.147.18940: Flags [S.], seq 
2980117984, ack 821209260, win 29200, options [mss 
1460,nop,nop,sackOK,nop,wscale 7], 

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 Also attached TCP dump logs

Actually, you only attached the TCP headers, not the full capture.  The headers 
can't tell us anything.

 I am again getting following error on FF26 with TLS 1.2 support
 Cannot communicate securely with peer: no common encryption algorithm(s).
 (Error code: ssl_error_no_cypher_overlap)

Which would again indicate that the client (FF26) does not implement your 
chosen cipher.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Did you get wireshark filtered output ?

Mudassir


On Sat, Jan 4, 2014 at 2:50 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 Please find attached wireshark file.


 On Sat, Jan 4, 2014 at 1:59 AM, Caldarale, Charles R 
 chuck.caldar...@unisys.com wrote:

  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  Also attached TCP dump logs

 Actually, you only attached the TCP headers, not the full capture.  The
 headers can't tell us anything.

  I am again getting following error on FF26 with TLS 1.2 support
  Cannot communicate securely with peer: no common encryption
 algorithm(s).
  (Error code: ssl_error_no_cypher_overlap)

 Which would again indicate that the client (FF26) does not implement your
 chosen cipher.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 Did you get wireshark filtered output ?

Everybody on this list is a volunteer, with their own real jobs to take care 
of.  If you want immediate attention, you bloody well need to pay for it.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mudassir Aftab
Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat
On Jan 4, 2014 3:16 AM, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:

  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  Did you get wireshark filtered output ?

 Everybody on this list is a volunteer, with their own real jobs to take
 care of.  If you want immediate attention, you bloody well need to pay for
 it.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat

The only evidence you have provided is that your single chosen cipher is not 
implemented by the version of Firefox you're using - which has nothing to do 
with Tomcat.  The TCP capture you provided is just text rather than a useful 
.pcap file, and no one's going to waste their time digging through raw bits 
when any decent protocol analyzer would do the job automatically.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread David Kerber

On 1/3/2014 5:27 PM, Mudassir Aftab wrote:

Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat


I wouldn't be too sure of that.  It might be that Firefox doesn't 
implement your chosen cipher.




On Jan 4, 2014 3:16 AM, Caldarale, Charles R chuck.caldar...@unisys.com
wrote:


From: Mudassir Aftab [mailto:withmudas...@gmail.com]
Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47



Did you get wireshark filtered output ?


Everybody on this list is a volunteer, with their own real jobs to take
care of.  If you want immediate attention, you bloody well need to pay for
it.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail and
its attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-03 Thread Mark Eggers

On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:

From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE:
TLS is not working in 6.0.37, 7.0.42, 7.0.47



Again, we have to submit this as a bug.TLS 1.2 is not working
in Tomcat


The only evidence you have provided is that your single chosen cipher
is not implemented by the version of Firefox you're using - which has
nothing to do with Tomcat.  The TCP capture you provided is just text
rather than a useful .pcap file, and no one's going to waste their
time digging through raw bits when any decent protocol analyzer would
do the job automatically.

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
PROPRIETARY MATERIAL and is thus for use only by the intended
recipient. If you received this in error, please contact the sender
and delete the e-mail and its attachments from all computers.


It's been years (more than I care to count) since I've read raw packet 
data, but at first glance I do not see the browser (172.16.50.10) 
initiating a TLSv1.2 Client Hello.


I'm looking at the following line:

0030  c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05   .9.8

I expect to see something like:

16 03 01

starting at octet 36. Instead, I see:

00 87 00

I don't know if that's because the information is encrypted, or what. 
However, it doesn't look like what I see when I aim Firefox 26.0 at an 
HTTPS site.


I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or 
CentOS). If so, get that and look for the TLSv1.2 Client Hello coming 
from your browser. If it's not coming from your browser, then something 
else is wrong.


Are you addressing example.com with https://example.com:8443/ in your 
browser?


As has been pointed out, this is an all-volunteer list (taking a break 
from writing an RFP here). Making it difficult to answer questions 
(incorrect, incomplete, or difficult to parse information) will not 
encourage volunteers to step forth.


. . . . Friday night RFP response writing
/mde/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
I need TLSv1.2 support for tomcat, can any one help me by providing
TLS v1.2 patch, also where should i actually apply the patch, in JDK /
Tomcat / Tomcat Native ??
Also what will be the preferable connector settings ?

I am using following connector in Apache Tomcat/7.0.42

Connector port=8443
   protocol=HTTP/1.1
   maxThreads=200
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/pay/p.pem
   SSLCertificateKeyFile=/home/mudassir/p/p-key.pem
   sslEnabledProtocols=TLSv1.2
   SSLCACertificateFile=/home/mudassir/p/AdminCA1.pem /

An error occurred during a connection to confidential.com:8443. Cannot
communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)


CRITICAL - Cannot make SSL connection
140441642727072:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:724:
HTTP CRITICAL - Error on receive
root@confidential:/opt/tomcat7#

I have tried 7.0.42 . 7.0.47 ,6.0.36 and 6.0.37 but nothing helped me
yet. Can you please help me on this ?

tcp0  0 0.0.0.0:84430.0.0.0:*
LISTEN  9757/java

Jan 01, 2014 5:37:54 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.27 using APR
version 1.4.6.
Jan 01, 2014 5:37:54 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 01, 2014 5:37:54 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 01, 2014 5:37:55 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jan 01, 2014 5:37:55 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-apr-8009]
Jan 01, 2014 5:37:55 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2588 ms
Jan 01, 2014 5:37:55 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jan 01, 2014 5:37:55 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.42
Jan 01, 2014 5:37:55 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /opt/tomcat7/webapps/confidential.war
Jan 01, 2014 5:37:59 PM org.hibernate.annotations.common.Version clinit
INFO: HCANN01: Hibernate Commons Annotations {4.0.2.Final}
Jan 01, 2014 5:37:59 PM org.hibernate.Version logVersion
INFO: HHH000412: Hibernate Core {4.2.4.Final}
Jan 01, 2014 5:37:59 PM org.hibernate.cfg.Environment clinit


RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 I need TLSv1.2 support for tomcat

That's available by default with current OpenSSL versions.

 Also what will be the preferable connector settings ?

Whatever you need them to be.  The values depend entirely on your applications 
and environment.

 I am using following connector in Apache Tomcat/7.0.42
 Connector port=8443
 . . .
sslEnabledProtocols=TLSv1.2

The above attribute is for the BIO and NIO connectors, not the APR one you are 
using.  You should instead specify:
   SSLProtocol=TLSv1
if you want to eliminate SSLv3 (but your client might not like that).  You can 
also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see 
http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

 An error occurred during a connection to confidential.com:8443. Cannot
 communicate securely with peer: no common encryption algorithm(s).

This means the client you're using and your build of OpenSSL have nothing in 
common.  Use Wireshark or tcpdump and determine just which protocols your 
client is attempting to negotiate with, and insure that those are enabled in 
your build of OpenSSL.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
Hi ,

Thanks for reply,

I am using following environment

Description:Ubuntu 12.04.3 LTS
javac 1.7.0_45
apache-tomcat-7.0.42.tar.gz
apr-1.5.0.tar.gz
tomcat-native-1.1.29-src.tar.gz
openssl 1.0.1-4ubuntu5.10

and this how i am configuring Tomcat Native

./configure --with-apr=/usr/local/apr/bin/apr-1-config
--with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/tomcat7/lib

Server.xml:
   Connector port=8443  protocol=HTTP/1.1
   maxThreads=200
   sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
   clientAuth=false
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=/home/mudassir/cert.pem
   SSLCertificateKeyFile=/home/mudassir/cert-key.pem
   SSLCACertificateFile=/home/mudassir/CA.pem /

Regards,
Mudassir Aftab



On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  I need TLSv1.2 support for tomcat

 That's available by default with current OpenSSL versions.

  Also what will be the preferable connector settings ?

 Whatever you need them to be.  The values depend entirely on your
 applications and environment.

  I am using following connector in Apache Tomcat/7.0.42
  Connector port=8443
  . . .
 sslEnabledProtocols=TLSv1.2

 The above attribute is for the BIO and NIO connectors, not the APR one you
 are using.  You should instead specify:
SSLProtocol=TLSv1
 if you want to eliminate SSLv3 (but your client might not like that).  You
 can also set SSLCipherSuite to avoid enabling insecure encryption
 mechanisms (see
 http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

  An error occurred during a connection to confidential.com:8443. Cannot
  communicate securely with peer: no common encryption algorithm(s).

 This means the client you're using and your build of OpenSSL have nothing
 in common.  Use Wireshark or tcpdump and determine just which protocols
 your client is attempting to negotiate with, and insure that those are
 enabled in your build of OpenSSL.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
I have also tried to apply following patch in tomcat native but it did not
helped.

https://issues.apache.org/bugzilla/attachment.cgi?id=30150

tomcat-native-1.1.29-src.tar.gz


On Fri, Jan 3, 2014 at 5:21 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 Hi ,

 Thanks for reply,

 I am using following environment

 Description:Ubuntu 12.04.3 LTS
 javac 1.7.0_45
 apache-tomcat-7.0.42.tar.gz
 apr-1.5.0.tar.gz
 tomcat-native-1.1.29-src.tar.gz
 openssl 1.0.1-4ubuntu5.10

 and this how i am configuring Tomcat Native

 ./configure --with-apr=/usr/local/apr/bin/apr-1-config
 --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME

 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/tomcat7/lib

 Server.xml:

Connector port=8443  protocol=HTTP/1.1
maxThreads=200
 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
clientAuth=false

scheme=https secure=true SSLEnabled=true
SSLCertificateFile=/home/mudassir/cert.pem
SSLCertificateKeyFile=/home/mudassir/cert-key.pem
SSLCACertificateFile=/home/mudassir/CA.pem /

 Regards,
 Mudassir Aftab



 On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R 
 chuck.caldar...@unisys.com wrote:

  From: Mudassir Aftab [mailto:withmudas...@gmail.com]
  Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47

  I need TLSv1.2 support for tomcat

 That's available by default with current OpenSSL versions.

  Also what will be the preferable connector settings ?

 Whatever you need them to be.  The values depend entirely on your
 applications and environment.

  I am using following connector in Apache Tomcat/7.0.42
  Connector port=8443
  . . .
 sslEnabledProtocols=TLSv1.2

 The above attribute is for the BIO and NIO connectors, not the APR one
 you are using.  You should instead specify:
SSLProtocol=TLSv1
 if you want to eliminate SSLv3 (but your client might not like that).
  You can also set SSLCipherSuite to avoid enabling insecure encryption
 mechanisms (see
 http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

  An error occurred during a connection to confidential.com:8443. Cannot
  communicate securely with peer: no common encryption algorithm(s).

 This means the client you're using and your build of OpenSSL have nothing
 in common.  Use Wireshark or tcpdump and determine just which protocols
 your client is attempting to negotiate with, and insure that those are
 enabled in your build of OpenSSL.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail and
 its attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mudassir,

On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
 Connector port=8443  protocol=HTTP/1.1 maxThreads=200 
 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2

Setting sslProtocol and sslEnabledProtocols will not affect an
OpenSSL-based connector (which you have configured). As Chuck
previously stated, you need to use different configuration attributes
when using OpenSSL. Please read the documentation for the APR
connector and those configuration attributes that affect the SSL engine.

You might want to tell us how you are trying to connect, too. Also,
run openssl ciphers on your system to see what ciphers are supported
by your OpenSSL, and compare those to the list supported by your
client. Perhaps you have a legitimate mismatch and TLS 1.2 itself
isn't the problem.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO
NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG
ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO
dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo
B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6
dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP
tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6
fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY
b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV
kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS
FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT
HzFL8i8XSzQPIOQTM47s
=xCfN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
I have just configured latest version , following is the log

Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8443]
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-8080]
Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [ajp-apr-8009]
Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3145 ms
Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8443]
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [http-apr-8080]
Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler [ajp-apr-8009]
Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7422 ms



On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz 
ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mudassir,

 On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
  Connector port=8443  protocol=HTTP/1.1 maxThreads=200
  sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2

 Setting sslProtocol and sslEnabledProtocols will not affect an
 OpenSSL-based connector (which you have configured). As Chuck
 previously stated, you need to use different configuration attributes
 when using OpenSSL. Please read the documentation for the APR
 connector and those configuration attributes that affect the SSL engine.

 You might want to tell us how you are trying to connect, too. Also,
 run openssl ciphers on your system to see what ciphers are supported
 by your OpenSSL, and compare those to the list supported by your
 client. Perhaps you have a legitimate mismatch and TLS 1.2 itself
 isn't the problem.

 - -chris
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO
 NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG
 ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO
 dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo
 B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6
 dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP
 tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6
 fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY
 b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV
 kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS
 FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT
 HzFL8i8XSzQPIOQTM47s
 =xCfN
 -END PGP SIGNATURE-

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
Thanks for keep replying,  is there any way to restrict the cipher suite in
the connector configuration?

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5



On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 I have just configured latest version , following is the log

 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
 version 1.5.0.
 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init

 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8443]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8080]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [ajp-apr-8009]
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
 INFO: Initialization processed in 3145 ms
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
 startInternal
 INFO: Starting service Catalina
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
 startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/docs
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/examples
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-8443]
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-8080]
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [ajp-apr-8009]
 Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
 INFO: Server startup in 7422 ms



 On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mudassir,

 On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
  Connector port=8443  protocol=HTTP/1.1 maxThreads=200
  sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2

 Setting sslProtocol and sslEnabledProtocols will not affect an
 OpenSSL-based connector (which you have configured). As Chuck
 previously stated, you need to use different configuration attributes
 when using OpenSSL. Please read the documentation for the APR
 connector and those configuration 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
How can i test this ? can i test this with Firefox 25 ?


Regards,
Mudassir Aftab


On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 Thanks for keep replying,  is there any way to restrict the cipher suite
 in the connector configuration?


 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5



 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 I have just configured latest version , following is the log

 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
 init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
 version 1.5.0.
 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
 init

 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8443]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8080]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [ajp-apr-8009]
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
 INFO: Initialization processed in 3145 ms
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
 startInternal
 INFO: Starting service Catalina
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
 startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat7/webapps/host-manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/docs
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/examples
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-8443]
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [http-apr-8080]
 Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler [ajp-apr-8009]
 Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start
 INFO: Server startup in 7422 ms



 On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz 
 ch...@christopherschultz.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256

 Mudassir,

 On 1/2/14, 7:21 PM, Mudassir Aftab wrote:
  Connector port=8443  protocol=HTTP/1.1 maxThreads=200
  sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2

 Setting sslProtocol and sslEnabledProtocols will not affect an
 OpenSSL-based connector (which you have configured). As Chuck
 

RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

Don't top post - it makes it really hard to follow the conversation.

 is there any way to restrict the cipher suite in
 the connector configuration?

You were already told how:

  You can also set SSLCipherSuite to avoid enabling insecure encryption 
  mechanisms (see 
  http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher).

- Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
Also how can i restrict cipher in the connector ??

Testing localhost:8443
** TLSv1:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits **
** TLSv1:ADH-AES128-SHA - ENABLED - WEAK 128 bits **
** TLSv1:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** TLSv1:ADH-AES256-SHA - ENABLED - WEAK 256 bits **
** TLSv1:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits **
** TLSv1:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits **
** TLSv1:ADH-RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv3:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv3:ADH-AES128-SHA - ENABLED - WEAK 128 bits **
** SSLv3:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits **
** SSLv3:ADH-AES256-SHA - ENABLED - WEAK 256 bits **
** SSLv3:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits **
** SSLv3:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits **
** SSLv3:ADH-RC4-MD5 - ENABLED - WEAK 128 bits **




On Fri, Jan 3, 2014 at 5:58 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 How can i test this ? can i test this with Firefox 25 ?


 Regards,
 Mudassir Aftab


 On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 Thanks for keep replying,  is there any way to restrict the cipher suite
 in the connector configuration?


 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5



 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote:

 I have just configured latest version , following is the log

 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
 init
 INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
 version 1.5.0.
 Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener
 init

 INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false], random [true].
 Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener
 initializeSSL
 INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012)
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8443]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [http-apr-8080]
 Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init
 INFO: Initializing ProtocolHandler [ajp-apr-8009]
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load
 INFO: Initialization processed in 3145 ms
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService
 startInternal
 INFO: Starting service Catalina
 Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine
 startInternal
 INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory
 /opt/tomcat7/webapps/host-manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/docs
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/manager
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
 Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig
 deployDirectory
 INFO: Deploying web application directory 

Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
How can i specify AES256-SHA256 cipher in tomcat connector? or where should
i specify this ?

Regards,
Mudassir Aftab


Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Mudassir Aftab
Should i use following APR connector attribute ?

   Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
   maxThreads=200
   sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
   clientAuth=false
   ciphers=AES256-SHA256
   scheme=https secure=true SSLEnabled=true
   SSLCertificateFile=p.pem
   SSLCertificateKeyFile=key.pem
   SSLCACertificateFile=AdminCA1.pem /


RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47

2014-01-02 Thread Caldarale, Charles R
 From: Mudassir Aftab [mailto:withmudas...@gmail.com] 
 Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47

 Should i use following APR connector attribute ?
Connector port=8443
protocol=org.apache.coyote.http11.Http11AprProtocol
maxThreads=200
sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2
clientAuth=false
ciphers=AES256-SHA256
scheme=https secure=true SSLEnabled=true
SSLCertificateFile=p.pem
SSLCertificateKeyFile=key.pem
SSLCACertificateFile=AdminCA1.pem /

For the third time, the APR Connector has no sslProtocol nor 
sslEnabledProtocols attributes; the proper ones for specifying the protocol and 
encryption algorithms are SSLProtocol and SSLCipherSuite, respectively.  For 
the last time, read the doc:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

(If you don't start paying attention to the responses you're getting, you will 
end up just being ignored.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org