you can create the ECC self singed certificates using the below two commands of Openssl
openssl ecparam -out sinful.key -name prime256v1 -genkey openssl req -x509 -new -key sinful.key -out sinful-ca.pem -outform PEM -days 3650 root@ubuntu:/# openssl s_client -connect localhost:8443 CONNECTED(00000003) Server certificate -----BEGIN CERTIFICATE----- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -----END CERTIFICATE----- --- SSL handshake has read 836 bytes and written 453 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : ECDH-ECDSA-AES256-SHA Session-ID: 0BC1B06C5FF21C1AF5E303269E3FF71D4ADBD65F2D9C89E82E1C7EF5A285EC12 Session-ID-ctx: Master-Key: 7C86159B8A5003E2812D464FD59BD1ED05B87FE68123BAE0B3F5C7C773ACD76133F109E3525560DCFF9687C6DFB764D1 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 39 18 5f 31 c0 e2 a0 1e-78 b8 66 7d 47 7b 1c de 9._1....x.f}G{.. 0010 - 84 88 b3 25 b3 15 0c ca-d1 37 73 be 50 b8 8e 3e ...%.....7s.P..> 0020 - e5 51 62 04 8f 84 c6 b5-a9 6d aa 36 97 85 e9 05 .Qb......m.6.... 0030 - 71 5e d5 83 c3 88 fb 34-c2 98 5b b4 18 09 89 1f q^.....4..[..... 0040 - 5c 3f 6d cf 16 a5 3b 7f-dc 36 0d 3f fa 8d 55 b4 \?m...;..6.?..U. 0050 - 48 37 73 8f 75 22 88 da-28 e7 16 06 7c b2 ad 36 H7s.u"..(...|..6 0060 - 44 16 de e3 12 31 33 6e-51 19 4f 5e b7 d9 08 ab D....13nQ.O^.... 0070 - 90 ce 7b eb 69 e4 8a 77-ca 3a de 6a ec f9 30 7c ..{.i..w.:.j..0| 0080 - eb a0 e6 3f 8c 16 61 c4-2d 58 4b 9b fc 14 b5 84 ...?..a.-XK..... 0090 - 49 4c 22 6d 56 a5 55 e4-16 27 7a 3f a4 d8 96 91 IL"mV.U..'z?.... 00a0 - a1 b6 bd 9c ef e9 fd 4e-77 e4 b2 22 13 d0 95 68 .......Nw.."...h Start Time: 1388891510 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- I am also unable to initialize any TLS1.1 or TLS1.2 related ECC Ciphers Here is my config tomcat 7.0.47 libapr 1.5.0-1 tcnative 1.1.29-1 <Connector port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLProtocol="all" SSLCertificateFile="/home/san/sinful.pem" SSLCertificateKeyFile="/home/san/sinful.key" /> On Sun, Jan 5, 2014 at 6:02 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 1/4/14, 6:37 PM, Mark Eggers wrote: > > On 1/4/2014 1:18 PM, Christopher Schultz wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > >> > >> Musassir, > >> > >> On 1/4/14, 4:08 PM, Christopher Schultz wrote: > >>> Musassir, > >>> > >>> On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > >>>> Again, we have to submit this as a bug.....TLS 1.2 is not > >>>> working in Tomcat > >>> > >>> Tomcat 7.0.74 Oracle Java 1.7.0_45 tcnative 1.1.29 trunk > >>> (essentially 1.2.29 > >>> > >>> tcnative$ make clean tcnative$ ./configure --with-apr=`which > >>> apr-config` --with-java-home=/usr/local/java-7 --with-ssl > >>> tcnative$ time make [...] make[1]: Leaving directory > >>> `/home/cschultz/projects/tomcat-native-1.1.x/native' > >>> > >>> real 0m14.790s user 0m15.300s sys 0m1.840s > >>> > >>> tcnative$ cp -d .libs/* $CATALINA_HOME/bin > >>> > >>> tcnative$ cd $CATALINA_BASE > >>> > >>> tomcat$ cat conf/server.xml > >>> > >>> [...] <Connector port="8218" > >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="all" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> [...] > >>> > >>> tomcat$ bin/startup.sh > >>> > >>> [...] Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: Loaded > >>> APR based Apache Tomcat Native library 1.1.30 using APR version > >>> 1.4.6. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener init INFO: APR > >>> capabilities: IPv6 [true], sendfile [true], accept filters > >>> [false], random [true]. Jan 04, 2014 3:17:26 PM > >>> org.apache.catalina.core.AprLifecycleListener initializeSSL > >>> INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb > >>> 2013) [...] > >>> > >>> tomcat$ openssl s_client -connect myhost:8218 [...] verify > >>> error:num=19:self signed certificate in certificate chain > >>> [...] SSL-Session: Protocol : TLSv1.2 Cipher : > >>> DHE-RSA-AES256-GCM-SHA384 [...] > >>> > >>> *disconnect* > >>> > >>> I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can > >>> connect using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > >>> > >>> Looks like TLS1.2 works just fine in the default configuration > >>> (SSLProtocol="all" is the default). > >>> > >>> Let's try your configuration. I'm only going to change > >>> SSLProtocol from "all" to "TLSv1": > >>> > >>> <Connector port="8218" > >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> > >>> > >>> * Restart Tomcat* > >>> > >>> tomcat$ openssl s_client -connect myhost:8218 [...] > >>> SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA > >>> [...] > >>> > >>> Trying again with Firefox 26 give me > >>> cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > >>> > >>> Let's try restricting to only your cipher. Let's make sure that > >>> my OpenSSL version supports it, first: > >>> > >>> tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > >>> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA > >>> Enc=AES(128) Mac=SHA256 > >>> > >>> > >>> Yup. Let's configure it in Tomcat: > >>> > >>> <Connector port="8218" > >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> > >>> > >>> > >>> $ openssl s_client -connect myhost:8218 CONNECTED(00000003) > >>> 139718306563752:error:14077410:SSL > >>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > >>> failure:s23_clnt.c:741: > >>> > >>> $ openssl s_client -tls1 -connect myhost:8218 > >>> CONNECTED(00000003) 139965071759016:error:14094410:SSL > >>> routines:SSL3_READ_BYTES:sslv3 alert handshake > >>> failure:s3_pkt.c:1256:SSL alert number 40 > >>> 139965071759016:error:1409E0E5:SSL > >>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: > >>> > >>> $ openssl s_client -tls1_1 -connect myhost:8218 > >>> CONNECTED(00000003) 140680041133736:error:1408F10B:SSL > >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > >>> > >>> $ openssl s_client -tls1_2 -connect myhost:8218 > >>> CONNECTED(00000003) 139976873068200:error:1408F10B:SSL > >>> routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > >>> > >>> Firefox also fails with "ssl_error_no_cypher_overlap". > >>> > >>> $ $ sslscan myhost:8218 _ ___ ___| |___ ___ __ _ _ __ / __/ > >>> __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | > >>> |___/___/_|___/\___\__,_|_| |_| > >>> > >>> Version 1.8.2 http://www.titania.co.uk Copyright Ian > >>> Ventura-Whiting 2009 > >>> > >>> Testing SSL server myhost on port 8218 > >>> > >>> Supported Server Cipher(s): Failed SSLv3 256 bits > >>> ECDHE-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> ECDHE-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> ECDHE-RSA-AES256-SHA384 Failed SSLv3 256 bits > >>> ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > >>> ECDHE-RSA-AES256-SHA Rejected SSLv3 256 bits > >>> ECDHE-ECDSA-AES256-SHA Rejected SSLv3 256 bits > >>> SRP-DSS-AES-256-CBC-SHA Rejected SSLv3 256 bits > >>> SRP-RSA-AES-256-CBC-SHA Failed SSLv3 256 bits > >>> DHE-DSS-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> DHE-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> DHE-RSA-AES256-SHA256 Failed SSLv3 256 bits > >>> DHE-DSS-AES256-SHA256 Rejected SSLv3 256 bits > >>> DHE-RSA-AES256-SHA Rejected SSLv3 256 bits > >>> DHE-DSS-AES256-SHA Rejected SSLv3 256 bits > >>> DHE-RSA-CAMELLIA256-SHA Rejected SSLv3 256 bits > >>> DHE-DSS-CAMELLIA256-SHA Rejected SSLv3 256 bits > >>> AECDH-AES256-SHA Rejected SSLv3 256 bits > >>> SRP-AES-256-CBC-SHA Failed SSLv3 256 bits > >>> ADH-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> ADH-AES256-SHA256 Rejected SSLv3 256 bits ADH-AES256-SHA > >>> Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA Failed SSLv3 > >>> 256 bits ECDH-RSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> ECDH-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >>> ECDH-RSA-AES256-SHA384 Failed SSLv3 256 bits > >>> ECDH-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > >>> ECDH-RSA-AES256-SHA Rejected SSLv3 256 bits > >>> ECDH-ECDSA-AES256-SHA Failed SSLv3 256 bits > >>> AES256-GCM-SHA384 Failed SSLv3 256 bits AES256-SHA256 > >>> Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 256 bits > >>> CAMELLIA256-SHA Failed SSLv3 256 bits PSK-AES256-CBC-SHA > >>> Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA Rejected > >>> SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA Rejected SSLv3 168 > >>> bits SRP-DSS-3DES-EDE-CBC-SHA Rejected SSLv3 168 bits > >>> SRP-RSA-3DES-EDE-CBC-SHA Rejected SSLv3 168 bits > >>> EDH-RSA-DES-CBC3-SHA Rejected SSLv3 168 bits > >>> EDH-DSS-DES-CBC3-SHA Rejected SSLv3 168 bits > >>> AECDH-DES-CBC3-SHA Rejected SSLv3 168 bits > >>> SRP-3DES-EDE-CBC-SHA Rejected SSLv3 168 bits ADH-DES-CBC3-SHA > >>> Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA Rejected SSLv3 > >>> 168 bits ECDH-ECDSA-DES-CBC3-SHA Rejected SSLv3 168 bits > >>> DES-CBC3-SHA Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA > >>> Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256 Failed > >>> SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed SSLv3 > >>> 128 bits ECDHE-RSA-AES128-SHA256 Failed SSLv3 128 bits > >>> ECDHE-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits > >>> ECDHE-RSA-AES128-SHA Rejected SSLv3 128 bits > >>> ECDHE-ECDSA-AES128-SHA Rejected SSLv3 128 bits > >>> SRP-DSS-AES-128-CBC-SHA Rejected SSLv3 128 bits > >>> SRP-RSA-AES-128-CBC-SHA Failed SSLv3 128 bits > >>> DHE-DSS-AES128-GCM-SHA256 Failed SSLv3 128 bits > >>> DHE-RSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > >>> DHE-RSA-AES128-SHA256 Failed SSLv3 128 bits > >>> DHE-DSS-AES128-SHA256 Rejected SSLv3 128 bits > >>> DHE-RSA-AES128-SHA Rejected SSLv3 128 bits > >>> DHE-DSS-AES128-SHA Rejected SSLv3 128 bits DHE-RSA-SEED-SHA > >>> Rejected SSLv3 128 bits DHE-DSS-SEED-SHA Rejected SSLv3 > >>> 128 bits DHE-RSA-CAMELLIA128-SHA Rejected SSLv3 128 bits > >>> DHE-DSS-CAMELLIA128-SHA Rejected SSLv3 128 bits > >>> AECDH-AES128-SHA Rejected SSLv3 128 bits > >>> SRP-AES-128-CBC-SHA Failed SSLv3 128 bits > >>> ADH-AES128-GCM-SHA256 Failed SSLv3 128 bits > >>> ADH-AES128-SHA256 Rejected SSLv3 128 bits ADH-AES128-SHA > >>> Rejected SSLv3 128 bits ADH-SEED-SHA Rejected SSLv3 128 > >>> bits ADH-CAMELLIA128-SHA Failed SSLv3 128 bits > >>> ECDH-RSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > >>> ECDH-ECDSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > >>> ECDH-RSA-AES128-SHA256 Failed SSLv3 128 bits > >>> ECDH-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits > >>> ECDH-RSA-AES128-SHA Rejected SSLv3 128 bits > >>> ECDH-ECDSA-AES128-SHA Failed SSLv3 128 bits > >>> AES128-GCM-SHA256 Failed SSLv3 128 bits AES128-SHA256 > >>> Rejected SSLv3 128 bits AES128-SHA Rejected SSLv3 128 bits > >>> SEED-SHA Rejected SSLv3 128 bits CAMELLIA128-SHA Failed > >>> SSLv3 128 bits PSK-AES128-CBC-SHA Rejected SSLv3 128 bits > >>> ECDHE-RSA-RC4-SHA Rejected SSLv3 128 bits > >>> ECDHE-ECDSA-RC4-SHA Rejected SSLv3 128 bits AECDH-RC4-SHA > >>> Rejected SSLv3 128 bits ADH-RC4-MD5 Rejected SSLv3 128 bits > >>> ECDH-RSA-RC4-SHA Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA > >>> Rejected SSLv3 128 bits RC4-SHA Rejected SSLv3 128 bits > >>> RC4-MD5 Failed SSLv3 128 bits PSK-RC4-SHA Rejected SSLv3 > >>> 56 bits EDH-RSA-DES-CBC-SHA Rejected SSLv3 56 bits > >>> EDH-DSS-DES-CBC-SHA Rejected SSLv3 56 bits ADH-DES-CBC-SHA > >>> Rejected SSLv3 56 bits DES-CBC-SHA Rejected SSLv3 40 bits > >>> EXP-EDH-RSA-DES-CBC-SHA Rejected SSLv3 40 bits > >>> EXP-EDH-DSS-DES-CBC-SHA Rejected SSLv3 40 bits > >>> EXP-ADH-DES-CBC-SHA Rejected SSLv3 40 bits EXP-DES-CBC-SHA > >>> Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 Rejected SSLv3 40 > >>> bits EXP-ADH-RC4-MD5 Rejected SSLv3 40 bits EXP-RC4-MD5 > >>> Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA Rejected SSLv3 0 > >>> bits ECDHE-ECDSA-NULL-SHA Rejected SSLv3 0 bits > >>> AECDH-NULL-SHA Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA > >>> Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA Failed SSLv3 > >>> 0 bits NULL-SHA256 Rejected SSLv3 0 bits NULL-SHA > >>> Rejected SSLv3 0 bits NULL-MD5 Failed TLSv1 256 bits > >>> ECDHE-RSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> ECDHE-ECDSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> ECDHE-RSA-AES256-SHA384 Failed TLSv1 256 bits > >>> ECDHE-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits > >>> ECDHE-RSA-AES256-SHA Rejected TLSv1 256 bits > >>> ECDHE-ECDSA-AES256-SHA Rejected TLSv1 256 bits > >>> SRP-DSS-AES-256-CBC-SHA Rejected TLSv1 256 bits > >>> SRP-RSA-AES-256-CBC-SHA Failed TLSv1 256 bits > >>> DHE-DSS-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> DHE-RSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> DHE-RSA-AES256-SHA256 Failed TLSv1 256 bits > >>> DHE-DSS-AES256-SHA256 Rejected TLSv1 256 bits > >>> DHE-RSA-AES256-SHA Rejected TLSv1 256 bits > >>> DHE-DSS-AES256-SHA Rejected TLSv1 256 bits > >>> DHE-RSA-CAMELLIA256-SHA Rejected TLSv1 256 bits > >>> DHE-DSS-CAMELLIA256-SHA Rejected TLSv1 256 bits > >>> AECDH-AES256-SHA Rejected TLSv1 256 bits > >>> SRP-AES-256-CBC-SHA Failed TLSv1 256 bits > >>> ADH-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> ADH-AES256-SHA256 Rejected TLSv1 256 bits ADH-AES256-SHA > >>> Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA Failed TLSv1 > >>> 256 bits ECDH-RSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> ECDH-ECDSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >>> ECDH-RSA-AES256-SHA384 Failed TLSv1 256 bits > >>> ECDH-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits > >>> ECDH-RSA-AES256-SHA Rejected TLSv1 256 bits > >>> ECDH-ECDSA-AES256-SHA Failed TLSv1 256 bits > >>> AES256-GCM-SHA384 Failed TLSv1 256 bits AES256-SHA256 > >>> Rejected TLSv1 256 bits AES256-SHA Rejected TLSv1 256 bits > >>> CAMELLIA256-SHA Failed TLSv1 256 bits PSK-AES256-CBC-SHA > >>> Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA Rejected > >>> TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA Rejected TLSv1 168 > >>> bits SRP-DSS-3DES-EDE-CBC-SHA Rejected TLSv1 168 bits > >>> SRP-RSA-3DES-EDE-CBC-SHA Rejected TLSv1 168 bits > >>> EDH-RSA-DES-CBC3-SHA Rejected TLSv1 168 bits > >>> EDH-DSS-DES-CBC3-SHA Rejected TLSv1 168 bits > >>> AECDH-DES-CBC3-SHA Rejected TLSv1 168 bits > >>> SRP-3DES-EDE-CBC-SHA Rejected TLSv1 168 bits ADH-DES-CBC3-SHA > >>> Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA Rejected TLSv1 > >>> 168 bits ECDH-ECDSA-DES-CBC3-SHA Rejected TLSv1 168 bits > >>> DES-CBC3-SHA Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA > >>> Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256 Failed > >>> TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Failed TLSv1 > >>> 128 bits ECDHE-RSA-AES128-SHA256 Failed TLSv1 128 bits > >>> ECDHE-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits > >>> ECDHE-RSA-AES128-SHA Rejected TLSv1 128 bits > >>> ECDHE-ECDSA-AES128-SHA Rejected TLSv1 128 bits > >>> SRP-DSS-AES-128-CBC-SHA Rejected TLSv1 128 bits > >>> SRP-RSA-AES-128-CBC-SHA Failed TLSv1 128 bits > >>> DHE-DSS-AES128-GCM-SHA256 Failed TLSv1 128 bits > >>> DHE-RSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > >>> DHE-RSA-AES128-SHA256 Failed TLSv1 128 bits > >>> DHE-DSS-AES128-SHA256 Rejected TLSv1 128 bits > >>> DHE-RSA-AES128-SHA Rejected TLSv1 128 bits > >>> DHE-DSS-AES128-SHA Rejected TLSv1 128 bits DHE-RSA-SEED-SHA > >>> Rejected TLSv1 128 bits DHE-DSS-SEED-SHA Rejected TLSv1 > >>> 128 bits DHE-RSA-CAMELLIA128-SHA Rejected TLSv1 128 bits > >>> DHE-DSS-CAMELLIA128-SHA Rejected TLSv1 128 bits > >>> AECDH-AES128-SHA Rejected TLSv1 128 bits > >>> SRP-AES-128-CBC-SHA Failed TLSv1 128 bits > >>> ADH-AES128-GCM-SHA256 Failed TLSv1 128 bits > >>> ADH-AES128-SHA256 Rejected TLSv1 128 bits ADH-AES128-SHA > >>> Rejected TLSv1 128 bits ADH-SEED-SHA Rejected TLSv1 128 > >>> bits ADH-CAMELLIA128-SHA Failed TLSv1 128 bits > >>> ECDH-RSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > >>> ECDH-ECDSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > >>> ECDH-RSA-AES128-SHA256 Failed TLSv1 128 bits > >>> ECDH-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits > >>> ECDH-RSA-AES128-SHA Rejected TLSv1 128 bits > >>> ECDH-ECDSA-AES128-SHA Failed TLSv1 128 bits > >>> AES128-GCM-SHA256 Failed TLSv1 128 bits AES128-SHA256 > >>> Rejected TLSv1 128 bits AES128-SHA Rejected TLSv1 128 bits > >>> SEED-SHA Rejected TLSv1 128 bits CAMELLIA128-SHA Failed > >>> TLSv1 128 bits PSK-AES128-CBC-SHA Rejected TLSv1 128 bits > >>> ECDHE-RSA-RC4-SHA Rejected TLSv1 128 bits > >>> ECDHE-ECDSA-RC4-SHA Rejected TLSv1 128 bits AECDH-RC4-SHA > >>> Rejected TLSv1 128 bits ADH-RC4-MD5 Rejected TLSv1 128 bits > >>> ECDH-RSA-RC4-SHA Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA > >>> Rejected TLSv1 128 bits RC4-SHA Rejected TLSv1 128 bits > >>> RC4-MD5 Failed TLSv1 128 bits PSK-RC4-SHA Rejected TLSv1 > >>> 56 bits EDH-RSA-DES-CBC-SHA Rejected TLSv1 56 bits > >>> EDH-DSS-DES-CBC-SHA Rejected TLSv1 56 bits ADH-DES-CBC-SHA > >>> Rejected TLSv1 56 bits DES-CBC-SHA Rejected TLSv1 40 bits > >>> EXP-EDH-RSA-DES-CBC-SHA Rejected TLSv1 40 bits > >>> EXP-EDH-DSS-DES-CBC-SHA Rejected TLSv1 40 bits > >>> EXP-ADH-DES-CBC-SHA Rejected TLSv1 40 bits EXP-DES-CBC-SHA > >>> Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 Rejected TLSv1 40 > >>> bits EXP-ADH-RC4-MD5 Rejected TLSv1 40 bits EXP-RC4-MD5 > >>> Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA Rejected TLSv1 0 > >>> bits ECDHE-ECDSA-NULL-SHA Rejected TLSv1 0 bits > >>> AECDH-NULL-SHA Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA > >>> Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA Failed TLSv1 > >>> 0 bits NULL-SHA256 Rejected TLSv1 0 bits NULL-SHA > >>> Rejected TLSv1 0 bits NULL-MD5 > >>> > >>> The cipher appears to be supported by both client (OpenSSL > >>> s_client) and server (Also using the same version of OpenSSL) > >>> but the handshake cannot complete. > >>> > >>> Let's try another cipher. How about one that worked before: > >>> DHE-RSA-AES256-SHA > >>> > >>> > >>> <Connector port="8218" > >>> protocol="org.apache.coyote.http11.Http11AprProtocol" > >>> SSLEnabled="true" secure="true" scheme="https" > >>> SSLCipherSuite="DHE-RSA-AES256-SHA" > >>> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >>> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > >>> executor="tomcatThreadPool" URIEncoding="UTF-8" /> > >>> > >>> $ openssl c_client -connect myhost:8218 [...] SSL-Session: > >>> Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA [...] > >>> > >>> Works. Firefox 26 also works. > >>> > >>> There must be some kind of problem with configuring > >>> ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher? > >> > >> Oh, I also tried this: > >> > >> <Connector port="8218" > >> protocol="org.apache.coyote.http11.Http11AprProtocol" > >> SSLEnabled="true" secure="true" scheme="https" > >> SSLCertificateKeyFile="[...]" SSLCertificateFile="[...]" > >> SSLCertificateChainFile="[...]" SSLProtocol="TLSv1" > >> executor="tomcatThreadPool" URIEncoding="UTF-8" /> > >> > >> $ openssl s_client -connect myhost:8218 -cipher > >> ECDHE-ECDSA-AES128-SHA256 CONNECTED(00000003) > >> 140418231797416:error:14077410:SSL > >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > >> failure:s23_clnt.c:741: > >> > >> (Try some other cipher) $ openssl s_client -connect myhost:8218 > >> -cipher DHE-RSA-AES256-SHA > >> > >> [...] SSL-Session: Protocol : TLSv1 Cipher : > >> DHE-RSA-AES256-SHA [...] > >> > >> $ sslscan myhost:8218 | grep ECDHE-ECDSA Failed SSLv3 256 > >> bits ECDHE-ECDSA-AES256-GCM-SHA384 Failed SSLv3 256 bits > >> ECDHE-ECDSA-AES256-SHA384 Rejected SSLv3 256 bits > >> ECDHE-ECDSA-AES256-SHA Rejected SSLv3 168 bits > >> ECDHE-ECDSA-DES-CBC3-SHA Failed SSLv3 128 bits > >> ECDHE-ECDSA-AES128-GCM-SHA256 Failed SSLv3 128 bits > >> ECDHE-ECDSA-AES128-SHA256 Rejected SSLv3 128 bits > >> ECDHE-ECDSA-AES128-SHA Rejected SSLv3 128 bits > >> ECDHE-ECDSA-RC4-SHA Rejected SSLv3 0 bits > >> ECDHE-ECDSA-NULL-SHA Failed TLSv1 256 bits > >> ECDHE-ECDSA-AES256-GCM-SHA384 Failed TLSv1 256 bits > >> ECDHE-ECDSA-AES256-SHA384 Rejected TLSv1 256 bits > >> ECDHE-ECDSA-AES256-SHA Rejected TLSv1 168 bits > >> ECDHE-ECDSA-DES-CBC3-SHA Failed TLSv1 128 bits > >> ECDHE-ECDSA-AES128-GCM-SHA256 Failed TLSv1 128 bits > >> ECDHE-ECDSA-AES128-SHA256 Rejected TLSv1 128 bits > >> ECDHE-ECDSA-AES128-SHA Rejected TLSv1 128 bits > >> ECDHE-ECDSA-RC4-SHA Rejected TLSv1 0 bits > >> ECDHE-ECDSA-NULL-SHA > >> > >> It looks like there is something wrong with the ECDHE-ECDSA > >> suites. If anything, this is an OpenSSL problem and not a Tomcat > >> one: Tomcat doesn't do anything with the crypto, here. > >> > >> - -chris > > > > Did you make an ECDSA cert? > > > > . . . . still in RFP response mode, so only 1/2 cent here > > ECDHE is Elliptic curve Diffie–Hellman Exchange, which is just DHE > with elliptic curve. Note that I was able to use other (non-EC) DHE > ciphers. > > AFAIK, the only choice you have when creating an SSL/TLS certificate > is whether to create an RSA or DSA key. The problem is more likely > that the "ECDSA" part of the algorithm won't work without a DSA key. > > Thanks for pointing that out. > > On the other hand, it appears that no ECDHE ciphers are working: > > $ sslscan myhost:8218 | grep ECDHE > Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 > Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 > Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384 > Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 > Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA > Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA > Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA > Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA > Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256 > Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 > Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256 > Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256 > Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA > Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA > Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA > Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA > Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA > Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA > Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384 > Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 > Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384 > Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384 > Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA > Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA > Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA > Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA > Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256 > Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 > Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256 > Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256 > Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA > Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA > Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA > Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA > Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA > Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA > > OpenSSL does have a few new tricks since the EC stuff was added, though: > > $ openssl --help > [...] > dhparam > ecparam > ec > gendh > genpkey > pkeyparam > [...] > > It looks like these algorithms probably *do* require a different > flavor of key, and not just a standard RSA key like most folks are > used to (and even if the algorithm contains "RSA" and not "DSA", among > other things). > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSyK8XAAoJEBzwKT+lPKRYcTIP/3fxN7Ctf+ROs2hbvXgmQT5P > xE2VIFXP8wIAhiSogDmMKipx5T7zR06JzwutB/5a/0rZ2n+nMy5bVmkgA9K1ZiDH > n4Ccfr8zpanTSt51GhXg5rLwg2LAB3KrnL2Dyb8sI0g2QEmoh0XgFTbGwcBeuin3 > 2ZAXC/y5QhKoUBk7Iv66AoQ7YTV8kJJpwIjBY4Mhbd9sZTRh7YWKtAwbXEkuveqz > 5M3rv/H4aDS4FE6zgZ2fgUy4qAnoyr+1wjC1vWIdPe7BEe4tlDoI/tx95H7ggjvr > Gy5FomHSoHvV2EkjzWJdiD/g5HW43AjpkpCLwLjlDnufLFgZtRbrVXMX8QxHjL2G > V5F6cb/+ZUXGoUgyBiFsG1QkJELcKP7BLBu2ew3BBiW8ybrFPulIQet97EZ0nE4/ > aTJxx7AnjMjuHlYHGu3q2xz983SViulYtJ1iShbpYESePQfnA77aEqmP9nytD6Dg > gqgudz7ecy1x5nGkYj8VT4/6Tkc6t8kGIQGWoQbJoEt4cQWfQVOZP+lFKtXkGwxL > 7b0ykx6b+x/pvEHPttYTMzRbYMnQ5mInhT6266jPPQThcLOXwjn16PD9UQkslFp9 > nxbpoj5o7S86qfB/XONL+E9WgWfpWmgkLKMQ06pYeZLo0L47RERg20eSLhNYRUTu > VRRJySduvE3hWnCj5IZp > =Jak9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >