Here is my test with latest openssl and tomcat Tools: openssl: 1.0.1e apache-tomcat-7.0.47 apr-1.5.0. tomcat-native-1.1.29
Connector: <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="200" clientAuth="false" SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/opt/misc/certs/ca.pem" SSLCertificateKeyFile="/opt/misc/certs/k.key" /> Tomcat Logs: Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR version 1.5.0. Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener initializeSSL INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8443"] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-apr-8080"] Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["ajp-apr-8009"] Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 3580 ms Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.47 Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/docs Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/manager Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory /opt/tomcat7/webapps/examples Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8443"] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-apr-8080"] Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["ajp-apr-8009"] Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start Verification Tests: root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(00000003) 3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:754: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1388841094 Timeout : 7200 (sec) Verify return code: 0 (y) --- root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher ECDHE-ECDSA-AES128-SHA256 CONNECTED(00000003) 3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available:s23_clnt.c:486: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers <its_toas...@yahoo.com> wrote: > On 1/3/2014 2:43 PM, Caldarale, Charles R wrote: > >> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE: >>> TLS is not working in 6.0.37, 7.0.42, 7.0.47 >>> >> >> Again, we have to submit this as a bug.....TLS 1.2 is not working >>> in Tomcat >>> >> >> The only evidence you have provided is that your single chosen cipher >> is not implemented by the version of Firefox you're using - which has >> nothing to do with Tomcat. The TCP capture you provided is just text >> rather than a useful .pcap file, and no one's going to waste their >> time digging through raw bits when any decent protocol analyzer would >> do the job automatically. >> >> - Chuck >> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >> PROPRIETARY MATERIAL and is thus for use only by the intended >> recipient. If you received this in error, please contact the sender >> and delete the e-mail and its attachments from all computers. >> > > It's been years (more than I care to count) since I've read raw packet > data, but at first glance I do not see the browser (172.16.50.10) > initiating a TLSv1.2 Client Hello. > > I'm looking at the following line: > > 0030 c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05 .........9.8.... > > I expect to see something like: > > 16 03 01 > > starting at octet 36. Instead, I see: > > 00 87 00 > > I don't know if that's because the information is encrypted, or what. > However, it doesn't look like what I see when I aim Firefox 26.0 at an > HTTPS site. > > I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or > CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from > your browser. If it's not coming from your browser, then something else is > wrong. > > Are you addressing example.com with https://example.com:8443/ in your > browser? > > As has been pointed out, this is an all-volunteer list (taking a break > from writing an RFP here). Making it difficult to answer questions > (incorrect, incomplete, or difficult to parse information) will not > encourage volunteers to step forth. > > . . . . Friday night RFP response writing > /mde/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >