Here is my test with latest openssl and tomcat
Tools:
openssl: 1.0.1e
apache-tomcat-7.0.47
apr-1.5.0.
tomcat-native-1.1.29
Connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="200"
clientAuth="false"
SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/opt/misc/certs/ca.pem"
SSLCertificateKeyFile="/opt/misc/certs/k.key" />
Tomcat Logs:
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.29 using APR
version 1.5.0.
Jan 04, 2014 1:10:15 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Jan 04, 2014 1:10:16 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013)
Jan 04, 2014 1:10:16 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:17 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3580 ms
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jan 04, 2014 1:10:17 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.47
Jan 04, 2014 1:10:17 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/docs
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/ROOT
Jan 04, 2014 1:10:20 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8443"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jan 04, 2014 1:10:22 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]
Jan 04, 2014 1:10:22 PM org.apache.catalina.startup.Catalina start
Verification Tests:
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -tls1
-cipher ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
3074226440:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers
available:s3_clnt.c:754:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1388841094
Timeout : 7200 (sec)
Verify return code: 0 (y)
---
root@ubuntu:/home/m# openssl s_client -connect 10.10.10.196:8443 -cipher
ECDHE-ECDSA-AES128-SHA256
CONNECTED(00000003)
3073734920:error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers
available:s23_clnt.c:486:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
On Sat, Jan 4, 2014 at 4:48 AM, Mark Eggers <its_toas...@yahoo.com> wrote:
> On 1/3/2014 2:43 PM, Caldarale, Charles R wrote:
>
>> From: Mudassir Aftab [mailto:withmudas...@gmail.com] Subject: RE:
>>> TLS is not working in 6.0.37, 7.0.42, 7.0.47
>>>
>>
>> Again, we have to submit this as a bug.....TLS 1.2 is not working
>>> in Tomcat
>>>
>>
>> The only evidence you have provided is that your single chosen cipher
>> is not implemented by the version of Firefox you're using - which has
>> nothing to do with Tomcat. The TCP capture you provided is just text
>> rather than a useful .pcap file, and no one's going to waste their
>> time digging through raw bits when any decent protocol analyzer would
>> do the job automatically.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>> PROPRIETARY MATERIAL and is thus for use only by the intended
>> recipient. If you received this in error, please contact the sender
>> and delete the e-mail and its attachments from all computers.
>>
>
> It's been years (more than I care to count) since I've read raw packet
> data, but at first glance I do not see the browser (172.16.50.10)
> initiating a TLSv1.2 Client Hello.
>
> I'm looking at the following line:
>
> 0030 c0 0a c0 14 00 88 00 87 00 39 00 38 c0 0f c0 05 .........9.8....
>
> I expect to see something like:
>
> 16 03 01
>
> starting at octet 36. Instead, I see:
>
> 00 87 00
>
> I don't know if that's because the information is encrypted, or what.
> However, it doesn't look like what I see when I aim Firefox 26.0 at an
> HTTPS site.
>
> I don't know if gnome-wireshark is available for Ubuntu (I use Fedora or
> CentOS). If so, get that and look for the TLSv1.2 Client Hello coming from
> your browser. If it's not coming from your browser, then something else is
> wrong.
>
> Are you addressing example.com with https://example.com:8443/ in your
> browser?
>
> As has been pointed out, this is an all-volunteer list (taking a break
> from writing an RFP here). Making it difficult to answer questions
> (incorrect, incomplete, or difficult to parse information) will not
> encourage volunteers to step forth.
>
> . . . . Friday night RFP response writing
> /mde/
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
