Hi all,
I have an application deployed on tomcat 6.0.35 and linux/amd64 with a
JSSE https connector. When I try to connect to this site with default
iPad browser, I always get an error message about the connection cannot
be established.
Tomcat version is the one shipped with Debian, and uses jdk 1.6.0_u39
with jce unrestricted policy. I also added bouncy castle jar in
$JAVA_HOME/jre/lib/ext and added its provider in
$JAVA_HOME/jre/lib/security/java.security as last in the provider list.
After restarting tomcat nothing changed.
I used the command line tool "ssldump" to check what happens and it
seems the problem is in the cipher suite used by iPad: none of the
ciphers is accepted by the server.
This is what ssldump command show:
New TCP connection #1:
host35-105-static.24-87-b.business.telecomitalia.it(59049) <->
192.168.1.55(8443)
1 1 0.0979 (0.0979) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_NULL_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5
compression methods
NULL
iPad does try a few times, changing the version number, but it fails
every time and eventually stop.
When connecting using Chrome on the very same iPad, the connection
works. The relevant dump is:
New TCP connection #1:
host35-105-static.24-87-b.business.telecomitalia.it(59049) <->
192.168.1.55(8443)
1 1 0.0979 (0.0979) C>S Handshake
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_NULL_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA
TLS_RSA_WITH_NULL_MD5
compression methods
NULL
Ths cipher accepted by the server is: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
The connector I use is:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
proxyName="www.my-visible-name.tld"
proxyPort="8443"
address="192.168.1.55"
/>
This is a JSSE connector since it display this message in log file:
13-feb-2013 12.57.49 org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-192.168.1.55-8443
So, my question: how to configure tomcat for accepting a broader range
of ciphers, or at least to accept even one of those used by this
browser?
Thank you very much,
Giuseppe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
