most of the people puking here regarding the tlsv1.1 and tlsv1.2 support in tomcat 7.0.47 or just trying them-self to look over smart.
Hi Mudassir, By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you have to apply these two patches in order to run TLSv1.1 and tlsv1.2 https://issues.apache.org/bugzilla/attachment.cgi?id=30150 https://issues.apache.org/bugzilla/attachment.cgi?id=30166 I spend 5 hours to test this. I am using ubuntu trusty. Here is my test result root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect 127.0.0.1:8443 CONNECTED(00000003) depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify error:num=18:self signed certificate verify return:1 depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu verify return:1 --- Certificate chain 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- Server certificate -----BEGIN CERTIFICATE----- MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg +aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ EmVg3uQq9XxPfiI= -----END CERTIFICATE----- subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu --- No client certificate CA names sent --- SSL handshake has read 828 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDH-ECDSA-AES256-GCM-SHA384 Session-ID: AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C Session-ID-ctx: Master-Key: 45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51 ...........V..IQ 0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf ..+.aE ..PP...A. 0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9 .v)..[5.....;>m. 0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21 ......T#.9-Z..^! 0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed ..7.fY.._..*.... 0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16 ]r..^.)..I..P... 0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6 #..cy.6#...5y.h. 0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a ......<w....' .. 0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8 @.....h.^..=rFV. 0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4 .f.oW....R...f.. 00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48 .......5.F...7.H Start Time: 1388926368 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- read:errno=0 /////////////////*******Server.xml***********************/////////////////////////// <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" SSLProtocol="all" clientAuth="false" SSLCertificateFile="/home/san/sinful.pem" SSLCertificateKeyFile="/home/san/sinful.key" /> ........................................................................................................................................................ How To Apply the patches. 1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch will be applied to tomcat-native-1.1.29. after the patch compile it using cd tomcat-native-1.1.29/jni/native/ ./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes --with-apr=/usr/bin/apr-1-config make cd tomcat-native-1.1.29/jni ant copy the libs and place them to default lib directory of ubuntu cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/ 2- Get the source code of tomcat-7.0.47. install jdk6 apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166 to tomcat-7.0.47. export the jdk6 path. run "ant" in the source folder. this will download many files and also compile the code. there will be some errors related to SSLV2. comment that code. as sslv2 will no more supported. after the successful build start the tomcat server. let me know if there is still any errors. Regards, San On Sun, Jan 5, 2014 at 12:17 PM, Terence M. Bandoian <tere...@tmbsw.com>wrote: > On 1/4/2014 3:08 PM, Christopher Schultz wrote: > > Musassir, > > > > On 1/3/14, 5:27 PM, Mudassir Aftab wrote: > > > Again, we have to submit this as a bug.....TLS 1.2 is not working > > > in Tomcat > > > > Tomcat 7.0.74 > > Oracle Java 1.7.0_45 > > tcnative 1.1.29 trunk (essentially 1.2.29 > > > > tcnative$ make clean > > tcnative$ ./configure --with-apr=`which apr-config` > > --with-java-home=/usr/local/java-7 --with-ssl > > tcnative$ time make > > [...] > > make[1]: Leaving directory > > `/home/cschultz/projects/tomcat-native-1.1.x/native' > > > > real 0m14.790s > > user 0m15.300s > > sys 0m1.840s > > > > tcnative$ cp -d .libs/* $CATALINA_HOME/bin > > > > tcnative$ cd $CATALINA_BASE > > > > tomcat$ cat conf/server.xml > > > > [...] > > <Connector port="8218" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > secure="true" > > scheme="https" > > SSLCertificateKeyFile="[...]" > > SSLCertificateFile="[...]" > > SSLCertificateChainFile="[...]" > > SSLProtocol="all" > > executor="tomcatThreadPool" > > URIEncoding="UTF-8" /> > > [...] > > > > tomcat$ bin/startup.sh > > > > [...] > > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener > init > > INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR > > version 1.4.6. > > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener > init > > INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters > > [false], random [true]. > > Jan 04, 2014 3:17:26 PM org.apache.catalina.core.AprLifecycleListener > > initializeSSL > > INFO: OpenSSL successfully initialized (OpenSSL 1.0.1e 11 Feb 2013) > > [...] > > > > tomcat$ openssl s_client -connect myhost:8218 > > [...] > > verify error:num=19:self signed certificate in certificate chain > > [...] > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : DHE-RSA-AES256-GCM-SHA384 > > [...] > > > > *disconnect* > > > > I can confirm that Mozilla Firefox 26 on Mac OS X 10.9 can connect > > using TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA cipher. > > > > Looks like TLS1.2 works just fine in the default configuration > > (SSLProtocol="all" is the default). > > > > Let's try your configuration. I'm only going to change SSLProtocol > > from "all" to "TLSv1": > > > > <Connector port="8218" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > secure="true" > > scheme="https" > > SSLCertificateKeyFile="[...]" > > SSLCertificateFile="[...]" > > SSLCertificateChainFile="[...]" > > SSLProtocol="TLSv1" > > executor="tomcatThreadPool" > > URIEncoding="UTF-8" /> > > > > * Restart Tomcat* > > > > tomcat$ openssl s_client -connect myhost:8218 > > [...] > > SSL-Session: > > Protocol : TLSv1 > > Cipher : DHE-RSA-AES256-SHA > > [...] > > > > Trying again with Firefox 26 give me > > cipher=TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. > > > > Let's try restricting to only your cipher. Let's make sure that my > > OpenSSL version supports it, first: > > > > tomcat$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-SHA256 > > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) > > Mac=SHA256 > > > > > > Yup. Let's configure it in Tomcat: > > > > <Connector port="8218" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > secure="true" > > scheme="https" > > SSLCipherSuite="ECDHE-ECDSA-AES128-SHA256" > > SSLCertificateKeyFile="[...]" > > SSLCertificateFile="[...]" > > SSLCertificateChainFile="[...]" > > SSLProtocol="TLSv1" > > executor="tomcatThreadPool" > > URIEncoding="UTF-8" /> > > > > > > $ openssl s_client -connect myhost:8218 > > CONNECTED(00000003) > > 139718306563752:error:14077410:SSL > > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > > failure:s23_clnt.c:741: > > > > $ openssl s_client -tls1 -connect myhost:8218 > > CONNECTED(00000003) > > 139965071759016:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 > > alert handshake failure:s3_pkt.c:1256:SSL alert number 40 > > 139965071759016:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > > handshake failure:s3_pkt.c:596: > > > > $ openssl s_client -tls1_1 -connect myhost:8218 > > CONNECTED(00000003) > > 140680041133736:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > > version number:s3_pkt.c:337: > > > > $ openssl s_client -tls1_2 -connect myhost:8218 > > CONNECTED(00000003) > > 139976873068200:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > > version number:s3_pkt.c:337: > > > > Firefox also fails with "ssl_error_no_cypher_overlap". > > > > $ $ sslscan myhost:8218 > > _ > > ___ ___| |___ ___ __ _ _ __ > > / __/ __| / __|/ __/ _` | '_ \ > > \__ \__ \ \__ \ (_| (_| | | | | > > |___/___/_|___/\___\__,_|_| |_| > > > > Version 1.8.2 > > http://www.titania.co.uk > > Copyright Ian Ventura-Whiting 2009 > > > > Testing SSL server myhost on port 8218 > > > > Supported Server Cipher(s): > > Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384 > > Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 > > Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384 > > Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384 > > Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA > > Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA > > Rejected SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA > > Rejected SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA > > Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384 > > Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384 > > Failed SSLv3 256 bits DHE-RSA-AES256-SHA256 > > Failed SSLv3 256 bits DHE-DSS-AES256-SHA256 > > Rejected SSLv3 256 bits DHE-RSA-AES256-SHA > > Rejected SSLv3 256 bits DHE-DSS-AES256-SHA > > Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA > > Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA > > Rejected SSLv3 256 bits AECDH-AES256-SHA > > Rejected SSLv3 256 bits SRP-AES-256-CBC-SHA > > Failed SSLv3 256 bits ADH-AES256-GCM-SHA384 > > Failed SSLv3 256 bits ADH-AES256-SHA256 > > Rejected SSLv3 256 bits ADH-AES256-SHA > > Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA > > Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384 > > Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384 > > Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384 > > Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384 > > Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA > > Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA > > Failed SSLv3 256 bits AES256-GCM-SHA384 > > Failed SSLv3 256 bits AES256-SHA256 > > Rejected SSLv3 256 bits AES256-SHA > > Rejected SSLv3 256 bits CAMELLIA256-SHA > > Failed SSLv3 256 bits PSK-AES256-CBC-SHA > > Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA > > Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA > > Rejected SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA > > Rejected SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA > > Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA > > Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA > > Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA > > Rejected SSLv3 168 bits SRP-3DES-EDE-CBC-SHA > > Rejected SSLv3 168 bits ADH-DES-CBC3-SHA > > Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA > > Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA > > Rejected SSLv3 168 bits DES-CBC3-SHA > > Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA > > Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256 > > Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 > > Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256 > > Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256 > > Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA > > Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA > > Rejected SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA > > Rejected SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA > > Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256 > > Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256 > > Failed SSLv3 128 bits DHE-RSA-AES128-SHA256 > > Failed SSLv3 128 bits DHE-DSS-AES128-SHA256 > > Rejected SSLv3 128 bits DHE-RSA-AES128-SHA > > Rejected SSLv3 128 bits DHE-DSS-AES128-SHA > > Rejected SSLv3 128 bits DHE-RSA-SEED-SHA > > Rejected SSLv3 128 bits DHE-DSS-SEED-SHA > > Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA > > Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA > > Rejected SSLv3 128 bits AECDH-AES128-SHA > > Rejected SSLv3 128 bits SRP-AES-128-CBC-SHA > > Failed SSLv3 128 bits ADH-AES128-GCM-SHA256 > > Failed SSLv3 128 bits ADH-AES128-SHA256 > > Rejected SSLv3 128 bits ADH-AES128-SHA > > Rejected SSLv3 128 bits ADH-SEED-SHA > > Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA > > Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256 > > Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256 > > Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256 > > Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256 > > Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA > > Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA > > Failed SSLv3 128 bits AES128-GCM-SHA256 > > Failed SSLv3 128 bits AES128-SHA256 > > Rejected SSLv3 128 bits AES128-SHA > > Rejected SSLv3 128 bits SEED-SHA > > Rejected SSLv3 128 bits CAMELLIA128-SHA > > Failed SSLv3 128 bits PSK-AES128-CBC-SHA > > Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA > > Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA > > Rejected SSLv3 128 bits AECDH-RC4-SHA > > Rejected SSLv3 128 bits ADH-RC4-MD5 > > Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA > > Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA > > Rejected SSLv3 128 bits RC4-SHA > > Rejected SSLv3 128 bits RC4-MD5 > > Failed SSLv3 128 bits PSK-RC4-SHA > > Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA > > Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA > > Rejected SSLv3 56 bits ADH-DES-CBC-SHA > > Rejected SSLv3 56 bits DES-CBC-SHA > > Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA > > Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA > > Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA > > Rejected SSLv3 40 bits EXP-DES-CBC-SHA > > Rejected SSLv3 40 bits EXP-RC2-CBC-MD5 > > Rejected SSLv3 40 bits EXP-ADH-RC4-MD5 > > Rejected SSLv3 40 bits EXP-RC4-MD5 > > Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA > > Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA > > Rejected SSLv3 0 bits AECDH-NULL-SHA > > Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA > > Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA > > Failed SSLv3 0 bits NULL-SHA256 > > Rejected SSLv3 0 bits NULL-SHA > > Rejected SSLv3 0 bits NULL-MD5 > > Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384 > > Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 > > Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384 > > Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384 > > Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA > > Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA > > Rejected TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA > > Rejected TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA > > Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384 > > Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384 > > Failed TLSv1 256 bits DHE-RSA-AES256-SHA256 > > Failed TLSv1 256 bits DHE-DSS-AES256-SHA256 > > Rejected TLSv1 256 bits DHE-RSA-AES256-SHA > > Rejected TLSv1 256 bits DHE-DSS-AES256-SHA > > Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA > > Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA > > Rejected TLSv1 256 bits AECDH-AES256-SHA > > Rejected TLSv1 256 bits SRP-AES-256-CBC-SHA > > Failed TLSv1 256 bits ADH-AES256-GCM-SHA384 > > Failed TLSv1 256 bits ADH-AES256-SHA256 > > Rejected TLSv1 256 bits ADH-AES256-SHA > > Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA > > Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384 > > Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384 > > Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384 > > Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384 > > Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA > > Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA > > Failed TLSv1 256 bits AES256-GCM-SHA384 > > Failed TLSv1 256 bits AES256-SHA256 > > Rejected TLSv1 256 bits AES256-SHA > > Rejected TLSv1 256 bits CAMELLIA256-SHA > > Failed TLSv1 256 bits PSK-AES256-CBC-SHA > > Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA > > Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA > > Rejected TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA > > Rejected TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA > > Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA > > Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA > > Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA > > Rejected TLSv1 168 bits SRP-3DES-EDE-CBC-SHA > > Rejected TLSv1 168 bits ADH-DES-CBC3-SHA > > Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA > > Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA > > Rejected TLSv1 168 bits DES-CBC3-SHA > > Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA > > Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256 > > Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 > > Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256 > > Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256 > > Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA > > Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA > > Rejected TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA > > Rejected TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA > > Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256 > > Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256 > > Failed TLSv1 128 bits DHE-RSA-AES128-SHA256 > > Failed TLSv1 128 bits DHE-DSS-AES128-SHA256 > > Rejected TLSv1 128 bits DHE-RSA-AES128-SHA > > Rejected TLSv1 128 bits DHE-DSS-AES128-SHA > > Rejected TLSv1 128 bits DHE-RSA-SEED-SHA > > Rejected TLSv1 128 bits DHE-DSS-SEED-SHA > > Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA > > Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA > > Rejected TLSv1 128 bits AECDH-AES128-SHA > > Rejected TLSv1 128 bits SRP-AES-128-CBC-SHA > > Failed TLSv1 128 bits ADH-AES128-GCM-SHA256 > > Failed TLSv1 128 bits ADH-AES128-SHA256 > > Rejected TLSv1 128 bits ADH-AES128-SHA > > Rejected TLSv1 128 bits ADH-SEED-SHA > > Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA > > Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256 > > Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256 > > Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256 > > Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256 > > Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA > > Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA > > Failed TLSv1 128 bits AES128-GCM-SHA256 > > Failed TLSv1 128 bits AES128-SHA256 > > Rejected TLSv1 128 bits AES128-SHA > > Rejected TLSv1 128 bits SEED-SHA > > Rejected TLSv1 128 bits CAMELLIA128-SHA > > Failed TLSv1 128 bits PSK-AES128-CBC-SHA > > Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA > > Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA > > Rejected TLSv1 128 bits AECDH-RC4-SHA > > Rejected TLSv1 128 bits ADH-RC4-MD5 > > Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA > > Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA > > Rejected TLSv1 128 bits RC4-SHA > > Rejected TLSv1 128 bits RC4-MD5 > > Failed TLSv1 128 bits PSK-RC4-SHA > > Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA > > Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA > > Rejected TLSv1 56 bits ADH-DES-CBC-SHA > > Rejected TLSv1 56 bits DES-CBC-SHA > > Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA > > Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA > > Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA > > Rejected TLSv1 40 bits EXP-DES-CBC-SHA > > Rejected TLSv1 40 bits EXP-RC2-CBC-MD5 > > Rejected TLSv1 40 bits EXP-ADH-RC4-MD5 > > Rejected TLSv1 40 bits EXP-RC4-MD5 > > Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA > > Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA > > Rejected TLSv1 0 bits AECDH-NULL-SHA > > Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA > > Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA > > Failed TLSv1 0 bits NULL-SHA256 > > Rejected TLSv1 0 bits NULL-SHA > > Rejected TLSv1 0 bits NULL-MD5 > > > > The cipher appears to be supported by both client (OpenSSL s_client) > > and server (Also using the same version of OpenSSL) but the handshake > > cannot complete. > > > > Let's try another cipher. How about one that worked before: > > DHE-RSA-AES256-SHA > > > > > > <Connector port="8218" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > SSLEnabled="true" > > secure="true" > > scheme="https" > > SSLCipherSuite="DHE-RSA-AES256-SHA" > > SSLCertificateKeyFile="[...]" > > SSLCertificateFile="[...]" > > SSLCertificateChainFile="[...]" > > SSLProtocol="TLSv1" > > executor="tomcatThreadPool" > > URIEncoding="UTF-8" /> > > > > $ openssl c_client -connect myhost:8218 > > [...] > > SSL-Session: > > Protocol : TLSv1 > > Cipher : DHE-RSA-AES256-SHA > > [...] > > > > Works. Firefox 26 also works. > > > > There must be some kind of problem with configuring > > ECDHE-ECDSA-AES128-SHA256 specifically. Try another cipher? > > > > -chris > > > Nice work. Really generous. > > -Terence Bandoian > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >