Tomcat by default should accept all the enabled cipher suites in an SSLSocket, unless it has been configured to do differently. That list is far longer than either of the client lists supplied.
-----Original Message----- From: Giuseppe Sacco [mailto:giuse...@eppesuigoccas.homedns.org] Sent: Thursday, 14 February 2013 8:48 AM To: users@tomcat.apache.org Subject: Tomcat does not accept connections from Safari on iPad vs an SSL connector with JSSE ciphers Hi all, I have an application deployed on tomcat 6.0.35 and linux/amd64 with a JSSE https connector. When I try to connect to this site with default iPad browser, I always get an error message about the connection cannot be established. Tomcat version is the one shipped with Debian, and uses jdk 1.6.0_u39 with jce unrestricted policy. I also added bouncy castle jar in $JAVA_HOME/jre/lib/ext and added its provider in $JAVA_HOME/jre/lib/security/java.security as last in the provider list. After restarting tomcat nothing changed. I used the command line tool "ssldump" to check what happens and it seems the problem is in the cipher suite used by iPad: none of the ciphers is accepted by the server. This is what ssldump command show: New TCP connection #1: host35-105-static.24-87-b.business.telecomitalia.it(59049) <-> 192.168.1.55(8443) 1 1 0.0979 (0.0979) C>S Handshake ClientHello Version 3.3 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_NULL_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 compression methods NULL iPad does try a few times, changing the version number, but it fails every time and eventually stop. When connecting using Chrome on the very same iPad, the connection works. The relevant dump is: New TCP connection #1: host35-105-static.24-87-b.business.telecomitalia.it(59049) <-> 192.168.1.55(8443) 1 1 0.0979 (0.0979) C>S Handshake ClientHello Version 3.3 cipher suites TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_NULL_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 compression methods NULL Ths cipher accepted by the server is: TLS_DHE_DSS_WITH_AES_128_CBC_SHA The connector I use is: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" proxyName="www.my-visible-name.tld" proxyPort="8443" address="192.168.1.55" /> This is a JSSE connector since it display this message in log file: 13-feb-2013 12.57.49 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-192.168.1.55-8443 So, my question: how to configure tomcat for accepting a broader range of ciphers, or at least to accept even one of those used by this browser? Thank you very much, Giuseppe --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
