Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in tomcat 7.0.47 or just trying them-self to look over smart. Hi Mudassir, By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(0003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.;m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ..T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..* 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a ..w' .. 0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8 @.h.^..=rFV. 0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4 .f.oWR...f.. 00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48 ...5.F...7.H Start Time: 1388926368 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- read:errno=0 /***Server.xml***/// Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true maxThreads=150 scheme=https secure=true SSLProtocol=all clientAuth=false SSLCertificateFile=/home/san/sinful.pem SSLCertificateKeyFile=/home/san/sinful.key / How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run ant in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors.
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Here is my test with latest openssl and tomcat Tools: openssl: 1.0.1e apache-tomcat-7.0.47 apr-1.5.0. tomcat-native-1.1.29 Connector: Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/opt/misc/certs/ca.pem SSLCertificateKeyFile=/opt/misc/certs/k.key / Tomcat Logs: Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3580 ms Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start Verification Tests: root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(0003) 3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:754: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1388841094 Timeout : 7200 (sec) Verify return code: 0 (y) --- root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(0003) 3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:486: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers its_toas...@yahoo.com wrote: On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:41 PM, Mudassir Aftab wrote: Thanks for keep replying, is there any way to restrict the cipher suite in the connector configuration? ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CB C -SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 Read the documentation for Connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSyGYEAAoJEBzwKT+lPKRYG4oQAICufit/CN+CP7QRId3/VceB qkgPX6Ukl3CAsjjQVytXG60BpuHro/wN15e5qDtFigOlwb1ysPseKX8DwMuLeTqi xww4aF4nnKt0MauxdD0+hgL404+PbxcC5w6DnHCxMgKSPtYxBY7ocBFMijpKvpzW cudkLrCiJnu8RTtKBbZc2YX8Caw/oeNOFiMnj4YnUUkV6IGSEonbgp7gRrt6YzBr EVHTXDN4aA05gV+Z4dF1jBSTveTe33FRwehraCVgGAJoumVVzQWiP8NwYLYLfl0B /SRm6wSVoWbqQaAuKBZ/tcyN4UczjHficAsSNtViHaJ5JDD05sKWMurA+rGcicZc PBRqRlbjk1sttQlsjVZwbAfMBGRUuc3Kqaxr5jcO+Clr66zYtLcy8jUiQeHmUTX2 pB7o9T91a3XG613Pl/BiQlAvF2kUtxRC2+AdFsMNX0cnh+vUATCqQTnyHwunYC2M SDVL4yuSf0ffU2zBIamcTP49VzrCveriEG4Z0qTxkYR2IocylMK0hugtZXuWoQ2V 2D6fBf31oejaIYTqow9J9cEL6JsJPHDuAsImiLpLQdoNicICNc0cHPZBVfzH/iq0 SOKSzD+qeCjEfYHcLS57qmo/aThRwtIJRiYV4GEJM9iHmWzC8ugPV3Gq0GYOe71C sEbS52NxV4lJUN7rdGuk =ROfe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 1/3/14, 12:32 PM, Caldarale, Charles R wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256* Why are there asterisks on that config line? Remove them if they're actually present. Don't try to get cute with formatting tricks like bolding text, since this is a plaintext mailing list. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 1.1 and 1.2 negotiation. Once that's installed (and tcnative rebuilt), verify that the desired cipher is available with the openssl ciphers command. You also need to confirm that your client is capable of TLSv1.2 using the above cipher. As stated before, getting a Wireshark or tcpdump trace of the negotiation would show what the client allows. +1 You might want to look at sslscan, or use https://www.ssllabs.com/ssltest/index.html to test your server. It can tell you what ciphers are supported, etc. even if your client is misbehaving. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSyGbmAAoJEBzwKT+lPKRYKg0P/RuZTz7GvueQubDpJHKddZS4 XTYvhSsW9SV2XvXMztBZWWB0NS0D9sRS98d5cdCndbY5LDfzvKLZZwHokR8XKP0N JmVSvavkcpF3Sro6bayJrcholFhG7pZbsYmRULZKZREwKASzEoOAPcye4HyyjavD VTUDqitJWLpCXjyuoxNQWCV+OieHy9oOwbTDs6cZgfvJcS2uHOhwmTaZBwxadvJV E1JfxoXQghXlszDemY/ynbdCiX5NVqaeoNwzSYNshvusGdUoupr0/qQ2Zvd+hWt+ lPUxWZxftfRvLHmASDQPniAieCihDQLufnhFf0k82APlNaOgX+OTkqViOO5ceSin H0bVA607b/mlUdf9WWmkydpWZdwH8ikiXUkJcNn1kzATaFRnnxnq1ID+A7efKqS1 byAZ1/3Bm7kpTQgcoiJenbfHxgtxZwrksfODl9c+HM54R7y/eUNYLjouoX47d3pb CeYsYqhQmJtdYSF0Q2bRAlRBl9G8FBjXKhRAnDnkDc6V8FeYk2q/ege5ggrYYJUI EJjKxmZwOEz3MfX7T8fkYFHCQ0JF7+tSkKpDJDhWV/yXjCvMLJOE4eY1I15byuzC 6StssnHyusbflJTEg8D9qx4WcUgWYeRn/hyQmeU99+RwNhkP/hhPWH3LgA6gcz57 eKjZ56wJPsVmVVGerp2f =2O14 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` - --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys 0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real 0m14.790s user 0m15.300s sys 0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-SHA256 FailedSSLv3 256 bits DHE-DSS-AES256-SHA256 Rejected
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 1:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user 0m15.300s sys 0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits DHE-RSA-AES256-SHA256 FailedSSLv3 256 bits DHE-DSS-AES256-SHA256 Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/4/14, 6:37 PM, Mark Eggers wrote: On 1/4/2014 1:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 FailedSSLv3 256 bits ECDHE-RSA-AES256-SHA384 FailedSSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA FailedSSLv3 256 bits
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
you can create the ECC self singed certificates using the below two commands of Openssl openssl ecparam -out sinful.key -name prime256v1 -genkey openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650 root@ubuntu:/# openssl s_client -connect localhost:8443 CONNECTED(0003) Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- --- SSL handshake has read 836 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDH-ECDSA-AES256-SHA Session-ID: 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 Session-ID-ctx: Master-Key: 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de 9._1x.f}G{.. 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e ...%.7s.P.. 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 .Qb..m.6 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f q^.4..[. 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 \?m...;..6.?..U. 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 H7s.u..(...|..6 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab D13nQ.O^ 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c ..{.i..w.:.j..0| 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 ...?..a.-XK. 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 ILmV.U..'z? 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 ...Nw.h Start Time: 1388891510 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers Here is my config tomcat 7.0.47 libapr 1.5.0-1 tcnative 1.1.29-1 Connector port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLProtocol=all SSLCertificateFile=/home/san/sinful.pem SSLCertificateKeyFile=/home/san/sinful.key / On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/4/14, 6:37 PM, Mark Eggers wrote: On 1/4/2014 1:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
there is also a bug fixed for the support of TLS1.1 and TLS1.2 by Marcel Ĺ ebek. may be that need to apply https://issues.apache.org/bugzilla/show_bug.cgi?id=53952#c1 On Sun, Jan 5, 2014 at 8:18 AM, Sanaullah sanaulla...@gmail.com wrote: you can create the ECC self singed certificates using the below two commands of Openssl openssl ecparam -out sinful.key -name prime256v1 -genkey openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650 root@ubuntu:/# openssl s_client -connect localhost:8443 CONNECTED(0003) Server certificate -BEGIN CERTIFICATE- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -END CERTIFICATE- --- SSL handshake has read 836 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDH-ECDSA-AES256-SHA Session-ID: 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 Session-ID-ctx: Master-Key: 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de 9._1x.f}G{.. 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e ...%.7s.P.. 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 .Qb..m.6 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f q^.4..[. 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 \?m...;..6.?..U. 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 H7s.u..(...|..6 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab D13nQ.O^ 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c ..{.i..w.:.j..0| 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 ...?..a.-XK. 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 ILmV.U..'z? 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 ...Nw.h Start Time: 1388891510 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers Here is my config tomcat 7.0.47 libapr 1.5.0-1 tcnative 1.1.29-1 Connector port=8443 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS SSLProtocol=all SSLCertificateFile=/home/san/sinful.pem SSLCertificateKeyFile=/home/san/sinful.key / On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/4/14, 6:37 PM, Mark Eggers wrote: On 1/4/2014 1:18 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Musassir, On 1/4/14, 4:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities:
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 3:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/4/2014 3:08 PM, Christopher Schultz wrote: Musassir, On 1/3/14, 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk (essentially 1.2.29 tcnative$ make clean tcnative$ ./configure --with-apr=`which apr-config` --with-java-home=/usr/local/java-7 --with-ssl tcnative$ time make [...] make[1]: Leaving directory `/home/cschultz/projects/tomcat-native-1.1.x/native' real0m14.790s user0m15.300s sys0m1.840s tcnative$ cp -d .libs/* $CATALINA_HOME/bin tcnative$ cd $CATALINA_BASE tomcat$ cat conf/server.xml [...] Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=all executor=tomcatThreadPool URIEncoding=UTF-8 / [...] tomcat$ bin/startup.sh [...] Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.4.6. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) [...] tomcat$ openssl s_client -connect myhost:8218 [...] verify error:num=19:self signed certificate in certificate chain [...] SSL-Session: Protocol : TLSv1.2 Cipher: DHE-RSA-AES256-GCM-SHA384 [...] *disconnect* I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. Looks like TLS1.2 works just fine in the default configuration (SSLProtocol=all is the default). Let's try your configuration. I'm only going to change SSLProtocol from all to TLSv1: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / * Restart Tomcat* tomcat$ openssl s_client -connect myhost:8218 [...] SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA [...] Trying again with Firefox 26 give me cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Let's try restricting to only your cipher. Let's make sure that my OpenSSL version supports it, first: tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 Yup. Let's configure it in Tomcat: Connector port=8218 protocol=org.apache.coyote.http11.Http11AprProtocol SSLEnabled=true secure=true scheme=https SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 SSLCertificateKeyFile=[...] SSLCertificateFile=[...] SSLCertificateChainFile=[...] SSLProtocol=TLSv1 executor=tomcatThreadPool URIEncoding=UTF-8 / $ openssl s_client -connect myhost:8218 CONNECTED(0003) 139718306563752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: $ openssl s_client -tls1 -connect myhost:8218 CONNECTED(0003) 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: $ openssl s_client -tls1_1 -connect myhost:8218 CONNECTED(0003) 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: $ openssl s_client -tls1_2 -connect myhost:8218 CONNECTED(0003) 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Firefox also fails with ssl_error_no_cypher_overlap. $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server myhost on port 8218 Supported Server Cipher(s): FailedSSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 FailedSSLv3 256 bits
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false ciphers=ECDH-ECDSA-AES128-GCM-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256 I really appreciate your help
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 3:28 AM, Mudassir Aftab wrote: Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false ciphers=ECDH-ECDSA-AES128-GCM-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256 I really appreciate your help If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
HI, That was just typo error but on system it is fine and i am keep checking logs, no warning in it also what about following post I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 On Fri, Jan 3, 2014 at 6:00 PM, David kerber dcker...@verizon.net wrote: On 1/3/2014 3:28 AM, Mudassir Aftab wrote: Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false ciphers=ECDH-ECDSA-AES128-GCM-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256 I really appreciate your help If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
also following setting is working for TLS v1 but not with TLS v1.2, so its a bug !!! Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/certs/ca.pem SSLCertificateKeyFile=/home/mudassir/certs/k.key / On Fri, Jan 3, 2014 at 6:56 PM, Mudassir Aftab withmudas...@gmail.comwrote: HI, That was just typo error but on system it is fine and i am keep checking logs, no warning in it also what about following post I just also took interest to dig this issue. The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 On Fri, Jan 3, 2014 at 6:00 PM, David kerber dcker...@verizon.net wrote: On 1/3/2014 3:28 AM, Mudassir Aftab wrote: Hi, Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false ciphers=ECDH-ECDSA-AES128-GCM-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256 I really appreciate your help If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: David kerber [mailto:dcker...@verizon.net] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Sorry for asking u same thing again and again, i have tried many things from above document, but nothing works for me, also no errors in the log Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false ciphers=ECDH-ECDSA-AES128-GCM-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / SSCipherSuit=ECDH-ECDSA-AES128-GCM-SHA256 If what you list here is what is really in your config file, you're not proofreading your configuration entries very well. You have SSLCipherSuite misspelled (two missing letters), and it's not inside the connector configuration entry. Not to mention still having the ciphers attribute, which is not used with APR. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 11:18 AM, Mudassir Aftab wrote: then what could be the working config !!! , can u edit and send it to me ? Regards, Mudassir Aftab Go back and read this thread carefully. There have been several errors pointed out to you which you haven't yet fixed. Fix them (proofreading carefully!), test it, and if it still doesn't work, post your full config. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
*Connector Settings:* Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256* scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / *Tomcat Logs:* Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 5:09:50 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 5:09:50 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2757 ms Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 5:09:50 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 5:09:51 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 5:09:53 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 5:09:54 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 03, 2014 5:09:55 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 12:14 PM, Mudassir Aftab wrote: *Connector Settings:* Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256* Do you really have the asterisks around this in your config? scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/pay/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/AdminCA1.pem / *Tomcat Logs:* snip *Firefox Error: Version 26* Secure Connection Failed An error occurred during a connection to pay.upaga.net:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Does firefox support ECDHE-ECDSA-AES128-SHA256? I don't know... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false *SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256* Why are there asterisks on that config line? Remove them if they're actually present. Don't try to get cute with formatting tricks like bolding text, since this is a plaintext mailing list. Jan 03, 2014 5:09:49 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) You need to update the OpenSSL version to 1.0.1e, which contains fixes for TLS 1.1 and 1.2 negotiation. Once that's installed (and tcnative rebuilt), verify that the desired cipher is available with the openssl ciphers command. You also need to confirm that your client is capable of TLSv1.2 using the above cipher. As stated before, getting a Wireshark or tcpdump trace of the negotiation would show what the client allows. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I just bold it from GMAIL :)
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Sanaullah [mailto:sanaulla...@gmail.com] Subject: Fwd: TLS is not working in 6.0.37, 7.0.42, 7.0.47 The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. TLSv1.1 and TLSv1.2 are included in TLSv1, when using the appropriate ciphers. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites That's backwards; TLSv1.1 and TLSv1.2 are used automatically if TLSv1 is enabled and the client and server support v1.1 or v1.2 ciphers. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384ECDH-ECDSA-AES256-GCM-SHA384 Those all appear to be supported in OpenSSL 1.0.1e. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi, I am getting following error while compiling tomcat-native-1.1.29-src with 1.0.1e-3ubuntu1, shell i ignore this ? src/sslcontext.c: In function 'Java_org_apache_tomcat_jni_SSLContext_make': src/sslcontext.c:77:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_client_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:79:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_server_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); ^ src/sslcontext.c:81:17: warning: passing argument 1 of 'SSL_CTX_new' makes pointer from integer without a cast [enabled by default] ctx = SSL_CTX_new(SSLv2_method()); ^ In file included from /opt/misc/tomcat-native-1.1.29-src/jni/native/include/ssl_private.h:43:0, from src/sslcontext.c:30: /usr/include/openssl/ssl.h:1664:10: note: expected 'const struct SSL_METHOD *' but argument is of type 'int' SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi , I have compiled tomcat-native-1.1.29-src.tar.gz with 1.0.1e-3ubuntu1 and test it with fresh apache-tomcat-7.0.47.tar.gz. and with following connector settings Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 clientAuth=false SSLCipherSuite=ECDHE-ECDSA-AES128-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/p.pem SSLCertificateKeyFile=/home/mudassir/p-key.pem SSLCACertificateFile=/home/mudassir/p/AdminCA1.pem / Tomcat Logs: Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 8:25:32 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 8:25:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3189 ms Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 8:25:33 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 8:25:33 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 8:25:55 PM org.apache.catalina.util.SessionIdGenerator createSecureRandom INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [19,247] milliseconds. Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 8:25:55 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 8:25:56 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 03, 2014 8:25:57 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 03, 2014 8:25:58 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] Also attached TCP dump logs , I am again getting following error on FF26 with TLS 1.2 support Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) 20:36:23.496965 IP 10.10.0.147.18938 example.com.8443: Flags [S], seq 435979095, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:23.497066 IP example.com.8443 10.10.0.147.18938: Flags [S.], seq 1576579154, ack 435979096, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:23.739969 IP 10.10.0.147.18938 example.com.8443: Flags [.], ack 1, win 4098, length 0 20:36:24.023396 IP 10.10.0.147.18938 example.com.8443: Flags [P.], seq 1:202, ack 1, win 4098, length 201 20:36:24.023471 IP example.com.8443 10.10.0.147.18938: Flags [.], ack 202, win 237, length 0 20:36:24.023964 IP example.com.8443 10.10.0.147.18938: Flags [P.], seq 1:8, ack 202, win 237, length 7 20:36:24.024187 IP example.com.8443 10.10.0.147.18938: Flags [F.], seq 8, ack 202, win 237, length 0 20:36:24.713659 IP 10.10.0.147.18938 example.com.8443: Flags [F.], seq 202, ack 8, win 4096, length 0 20:36:24.713726 IP example.com.8443 10.10.0.147.18938: Flags [.], ack 203, win 237, length 0 20:36:24.956342 IP 10.10.0.147.18939 example.com.8443: Flags [S], seq 3315815756, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:24.956402 IP example.com.8443 10.10.0.147.18939: Flags [S.], seq 3575233717, ack 3315815757, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 20:36:24.956415 IP 10.10.0.147.18938 example.com.8443: Flags [.], ack 9, win 4096, length 0 20:36:25.225229 IP 10.10.0.147.18940 example.com.8443: Flags [S], seq 821209259, win 8192, options [mss 1366,nop,wscale 2,nop,nop,sackOK], length 0 20:36:25.225278 IP example.com.8443 10.10.0.147.18940: Flags [S.], seq 2980117984, ack 821209260, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7],
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Also attached TCP dump logs Actually, you only attached the TCP headers, not the full capture. The headers can't tell us anything. I am again getting following error on FF26 with TLS 1.2 support Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Which would again indicate that the client (FF26) does not implement your chosen cipher. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Did you get wireshark filtered output ? Mudassir On Sat, Jan 4, 2014 at 2:50 AM, Mudassir Aftab withmudas...@gmail.comwrote: Please find attached wireshark file. On Sat, Jan 4, 2014 at 1:59 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Also attached TCP dump logs Actually, you only attached the TCP headers, not the full capture. The headers can't tell us anything. I am again getting following error on FF26 with TLS 1.2 support Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) Which would again indicate that the client (FF26) does not implement your chosen cipher. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat On Jan 4, 2014 3:16 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 5:27 PM, Mudassir Aftab wrote: Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat I wouldn't be too sure of that. It might be that Firefox doesn't implement your chosen cipher. On Jan 4, 2014 3:16 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Did you get wireshark filtered output ? Everybody on this list is a volunteer, with their own real jobs to take care of. If you want immediate attention, you bloody well need to pay for it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Again, we have to submit this as a bug.TLS 1.2 is not working in Tomcat The only evidence you have provided is that your single chosen cipher is not implemented by the version of Firefox you're using - which has nothing to do with Tomcat. The TCP capture you provided is just text rather than a useful .pcap file, and no one's going to waste their time digging through raw bits when any decent protocol analyzer would do the job automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. It's been years (more than I care to count) since I've read raw packet data, but at first glance I do not see the browser (172.16.50.10) initiating a TLSv1.2 Client Hello. I'm looking at the following line: 0030 c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05 .9.8 I expect to see something like: 16 03 01 starting at octet 36. Instead, I see: 00 87 00 I don't know if that's because the information is encrypted, or what. However, it doesn't look like what I see when I aim Firefox 26.0 at an HTTPS site. I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from your browser. If it's not coming from your browser, then something else is wrong. Are you addressing example.com with https://example.com:8443/ in your browser? As has been pointed out, this is an all-volunteer list (taking a break from writing an RFP here). Making it difficult to answer questions (incorrect, incomplete, or difficult to parse information) will not encourage volunteers to step forth. . . . . Friday night RFP response writing /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 I need TLSv1.2 support for tomcat That's available by default with current OpenSSL versions. Also what will be the preferable connector settings ? Whatever you need them to be. The values depend entirely on your applications and environment. I am using following connector in Apache Tomcat/7.0.42 Connector port=8443 . . . sslEnabledProtocols=TLSv1.2 The above attribute is for the BIO and NIO connectors, not the APR one you are using. You should instead specify: SSLProtocol=TLSv1 if you want to eliminate SSLv3 (but your client might not like that). You can also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). An error occurred during a connection to confidential.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). This means the client you're using and your build of OpenSSL have nothing in common. Use Wireshark or tcpdump and determine just which protocols your client is attempting to negotiate with, and insure that those are enabled in your build of OpenSSL. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Hi , Thanks for reply, I am using following environment Description:Ubuntu 12.04.3 LTS javac 1.7.0_45 apache-tomcat-7.0.42.tar.gz apr-1.5.0.tar.gz tomcat-native-1.1.29-src.tar.gz openssl 1.0.1-4ubuntu5.10 and this how i am configuring Tomcat Native ./configure --with-apr=/usr/local/apr/bin/apr-1-config --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/tomcat7/lib Server.xml: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 clientAuth=false scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/cert.pem SSLCertificateKeyFile=/home/mudassir/cert-key.pem SSLCACertificateFile=/home/mudassir/CA.pem / Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 I need TLSv1.2 support for tomcat That's available by default with current OpenSSL versions. Also what will be the preferable connector settings ? Whatever you need them to be. The values depend entirely on your applications and environment. I am using following connector in Apache Tomcat/7.0.42 Connector port=8443 . . . sslEnabledProtocols=TLSv1.2 The above attribute is for the BIO and NIO connectors, not the APR one you are using. You should instead specify: SSLProtocol=TLSv1 if you want to eliminate SSLv3 (but your client might not like that). You can also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). An error occurred during a connection to confidential.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). This means the client you're using and your build of OpenSSL have nothing in common. Use Wireshark or tcpdump and determine just which protocols your client is attempting to negotiate with, and insure that those are enabled in your build of OpenSSL. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
I have also tried to apply following patch in tomcat native but it did not helped. https://issues.apache.org/bugzilla/attachment.cgi?id=30150 tomcat-native-1.1.29-src.tar.gz On Fri, Jan 3, 2014 at 5:21 AM, Mudassir Aftab withmudas...@gmail.comwrote: Hi , Thanks for reply, I am using following environment Description:Ubuntu 12.04.3 LTS javac 1.7.0_45 apache-tomcat-7.0.42.tar.gz apr-1.5.0.tar.gz tomcat-native-1.1.29-src.tar.gz openssl 1.0.1-4ubuntu5.10 and this how i am configuring Tomcat Native ./configure --with-apr=/usr/local/apr/bin/apr-1-config --with-java-home=$JAVA_HOME --with-ssl=yes --prefix=$CATALINA_HOME export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/tomcat7/lib Server.xml: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 clientAuth=false scheme=https secure=true SSLEnabled=true SSLCertificateFile=/home/mudassir/cert.pem SSLCertificateKeyFile=/home/mudassir/cert-key.pem SSLCACertificateFile=/home/mudassir/CA.pem / Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 2:28 AM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: TLS is not working in 6.0.37, 7.0.42, 7.0.47 I need TLSv1.2 support for tomcat That's available by default with current OpenSSL versions. Also what will be the preferable connector settings ? Whatever you need them to be. The values depend entirely on your applications and environment. I am using following connector in Apache Tomcat/7.0.42 Connector port=8443 . . . sslEnabledProtocols=TLSv1.2 The above attribute is for the BIO and NIO connectors, not the APR one you are using. You should instead specify: SSLProtocol=TLSv1 if you want to eliminate SSLv3 (but your client might not like that). You can also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). An error occurred during a connection to confidential.com:8443. Cannot communicate securely with peer: no common encryption algorithm(s). This means the client you're using and your build of OpenSSL have nothing in common. Use Wireshark or tcpdump and determine just which protocols your client is attempting to negotiate with, and insure that those are enabled in your build of OpenSSL. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:21 PM, Mudassir Aftab wrote: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 Setting sslProtocol and sslEnabledProtocols will not affect an OpenSSL-based connector (which you have configured). As Chuck previously stated, you need to use different configuration attributes when using OpenSSL. Please read the documentation for the APR connector and those configuration attributes that affect the SSL engine. You might want to tell us how you are trying to connect, too. Also, run openssl ciphers on your system to see what ciphers are supported by your OpenSSL, and compare those to the list supported by your client. Perhaps you have a legitimate mismatch and TLS 1.2 itself isn't the problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6 dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6 fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT HzFL8i8XSzQPIOQTM47s =xCfN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
I have just configured latest version , following is the log Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3145 ms Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 7422 ms On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:21 PM, Mudassir Aftab wrote: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 Setting sslProtocol and sslEnabledProtocols will not affect an OpenSSL-based connector (which you have configured). As Chuck previously stated, you need to use different configuration attributes when using OpenSSL. Please read the documentation for the APR connector and those configuration attributes that affect the SSL engine. You might want to tell us how you are trying to connect, too. Also, run openssl ciphers on your system to see what ciphers are supported by your OpenSSL, and compare those to the list supported by your client. Perhaps you have a legitimate mismatch and TLS 1.2 itself isn't the problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSxgTjAAoJEBzwKT+lPKRYcYcQAK9VZ5EncegU2zmkArxtf7dO NvIdSzKW9oyjDngFRc/pSga79Crj1SbnhY/SrwZLCv81MWuSjjgFpIBi/RlFMjpG ScFBU4NNT5HxGl0+0Eec9qcw93ObTKGPf8SkDjAfvpI2uzNH8DK/lHdqbqAksVGO dZGdYPAHMx4ssTc6ADKtwaXmbdJW2yo0VNp1t5bsUEJE2BYPnV8kh0djj2fME0zo B951A6YKyeL37c+zcAHEdbqKS1tmpk7bwuyhsXnmPCdrh6pRcqBuEGWKywCvDPw6 dopMmAd7ngGcEM4v24L5Fsv7nm2KeZL+BY+pyehxJCnP4EEobw0KtGEvzsMQn+hP tPQ2mpxEaKIgPxe09soHCYxTM5HqtXdK25pNZBpOcTBWCJH1tz+sA5z6h7ruJNI6 fVszEZEtCevkvwkP9GYWZ3mhdvHXE1rGtpc4u2/vCJCr0Hbszv0YS6LgQVWAxrQY b0qJLeYX+MAUGdC0Y3jLT/qes1XeK4wlugfFTP3Q2l6sKo2g7sWt8b2QDc9bKjHV kAmG1OPEzMe9d3IU6+2IPg0R3Ztdv9u2jUXZMzbmhfrs1B4c0tvRt769GKlxgRpS FulJgmIamfnHuRIVGUJUc30tr7e3Ozg0TduAuxnXEseb5gPR34k5O2hZO4bvqZpT HzFL8i8XSzQPIOQTM47s =xCfN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Thanks for keep replying, is there any way to restrict the cipher suite in the connector configuration? ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote: I have just configured latest version , following is the log Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3145 ms Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 7422 ms On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:21 PM, Mudassir Aftab wrote: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 Setting sslProtocol and sslEnabledProtocols will not affect an OpenSSL-based connector (which you have configured). As Chuck previously stated, you need to use different configuration attributes when using OpenSSL. Please read the documentation for the APR connector and those configuration
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
How can i test this ? can i test this with Firefox 25 ? Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab withmudas...@gmail.comwrote: Thanks for keep replying, is there any way to restrict the cipher suite in the connector configuration? ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote: I have just configured latest version , following is the log Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3145 ms Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:07 AM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:07 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 7422 ms On Fri, Jan 3, 2014 at 5:31 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mudassir, On 1/2/14, 7:21 PM, Mudassir Aftab wrote: Connector port=8443 protocol=HTTP/1.1 maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 Setting sslProtocol and sslEnabledProtocols will not affect an OpenSSL-based connector (which you have configured). As Chuck
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Don't top post - it makes it really hard to follow the conversation. is there any way to restrict the cipher suite in the connector configuration? You were already told how: You can also set SSLCipherSuite to avoid enabling insecure encryption mechanisms (see http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
Also how can i restrict cipher in the connector ?? Testing localhost:8443 ** TLSv1:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits ** ** TLSv1:ADH-AES128-SHA - ENABLED - WEAK 128 bits ** ** TLSv1:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits ** ** TLSv1:ADH-AES256-SHA - ENABLED - WEAK 256 bits ** ** TLSv1:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits ** ** TLSv1:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** TLSv1:ADH-RC4-MD5 - ENABLED - WEAK 128 bits ** ** SSLv3:EXP-ADH-RC4-MD5 - ENABLED - WEAK 40 bits ** ** SSLv3:ADH-AES128-SHA - ENABLED - WEAK 128 bits ** ** SSLv3:EXP-ADH-DES-CBC-SHA - ENABLED - WEAK 40 bits ** ** SSLv3:ADH-AES256-SHA - ENABLED - WEAK 256 bits ** ** SSLv3:ADH-DES-CBC3-SHA - ENABLED - WEAK 168 bits ** ** SSLv3:ADH-DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** SSLv3:ADH-RC4-MD5 - ENABLED - WEAK 128 bits ** On Fri, Jan 3, 2014 at 5:58 AM, Mudassir Aftab withmudas...@gmail.comwrote: How can i test this ? can i test this with Firefox 25 ? Regards, Mudassir Aftab On Fri, Jan 3, 2014 at 5:41 AM, Mudassir Aftab withmudas...@gmail.comwrote: Thanks for keep replying, is there any way to restrict the cipher suite in the connector configuration? ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 On Fri, Jan 3, 2014 at 5:35 AM, Mudassir Aftab withmudas...@gmail.comwrote: I have just configured latest version , following is the log Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 03, 2014 12:33:58 AM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 03, 2014 12:33:59 AM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1 14 Mar 2012) Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8443] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Jan 03, 2014 12:34:00 AM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3145 ms Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 03, 2014 12:34:00 AM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 03, 2014 12:34:00 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 03, 2014 12:34:05 AM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory
Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47
How can i specify AES256-SHA256 cipher in tomcat connector? or where should i specify this ? Regards, Mudassir Aftab
RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47
From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 Should i use following APR connector attribute ? Connector port=8443 protocol=org.apache.coyote.http11.Http11AprProtocol maxThreads=200 sslProtocol=TLSv1 sslEnabledProtocols=TLSv1.2 clientAuth=false ciphers=AES256-SHA256 scheme=https secure=true SSLEnabled=true SSLCertificateFile=p.pem SSLCertificateKeyFile=key.pem SSLCACertificateFile=AdminCA1.pem / For the third time, the APR Connector has no sslProtocol nor sslEnabledProtocols attributes; the proper ones for specifying the protocol and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively. For the last time, read the doc: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native (If you don't start paying attention to the responses you're getting, you will end up just being ignored.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org