-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nikitha,
On 8/5/15 6:52 AM, Nikitha Benny wrote: > Thank you for your valuable suggestion. > > I just ran the openssl s_client scan, and it looks like the server > side is running fine on *TLSv1.2* Protocol. > > [root]## *openssl s_client -connect 16.183.93.84:8444 > <http://16.183.93.84:8444>* CONNECTED(00000003) - - - - - - - - - > - - - - - - - - - - - - - - - - - - - > > 9ICKPG6kxtrZMUUnb/RgYH0FEqAWxvAbj08ZtJXHoGyRAmFcLKUtQBw8wifqXjYP > dok1aLR6ZwG+iD+urs1SLFyUmENSywwZtrKpgorQR+LRtC77E3gyNSmJP+i02SpC > Dwt/kR6w4FmSD+k3+RJik2+SabfTbE1F2Iho/XLFyU0SwKEhi54pdYohuuEfFwnU > d/A4 -----END CERTIFICATE----- subject=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com issuer=/C=US/ST=California/L=Palo > Alto/O=Hewlett-Packard/OU=OpenView/CN= > IWFVM01284.hpswlabs.adapps.hp.com --- No client certificate CA > names sent --- SSL handshake has read 1476 bytes and written 7 > bytes --- New, (NONE), Cipher is (NONE) Server public key is 2048 > bit Secure Renegotiation IS supported Compression: NONE Expansion: > NONE SSL-Session: Protocol : *TLSv1.2* Cipher : 0000 > Session-ID: > 55C1E8659A3AEABEA2844E153BB8BF666936B6EC38C5777B60202AF0712E5377 > Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None > PSK identity: None PSK identity hint: None Start Time: 1438771286 > Timeout : 300 (sec) Verify return code: 18 (self signed > certificate) > > So could it be an issue with the browser? Since the browser is not > FIPS compliant, could it be the reason for the issue? FIPS compliance is really nothing more than using a certified set of ciphers, and having the crypto module self-verify when it initializes to ensure that it has not been tampered with. So a FIPS-certified stack connecting to a non-FIPS-certified stack is no difference than FIPS-to-FIPS or FIPSless-to-FIPS-less. It will work whether FIPS compliance is met on either side of the connection or not. IIRC (I haven't read the requirements recently), every truly FIPS-compliant environment is currently vulnerable because FIPS requires the support of known vulnerable protocols such as SSL3 as well as a few required ciphers that were intentionally weakened by the NSA. If you want to be FIPS-compliant, I suggest that you be "nominally" FIPS compliant and disable all of the bad stuff FIPS requires, yet adhere to the rest of the requirements. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVxfO5AAoJEBzwKT+lPKRYzTEP/iw+wygF9J/Jn4Zi/0793Npu bWdyWJoIrArjZ1d0qcnOsyQ4r4l94DU0MGHDeVijTk4iGhQyCnx5I9jT9qGpuQj6 DuC3VCBOkxceEJ1DLdtHkeQ/njkk4hdwnGarQ6Mt4MPhNee5zX3PFhC+vR9VTzBE 3nCcTKENciH4s5niJ+cA2i5EctLdOedyrVDRIaUuM7WDt0jDcRlAjUsBdwF1yf1M hY+hSIQzaLgMP79cXGrA3G5GC5U1MGesJR0gwjJdS/xpziP97XbcDrL6IVPbTWJ2 TrgNqyHsOvLXvPh3qOG5rdO2NDOS4SkCktWfX9nAV1pb4Jpc6hRS4o58tPkXHgsp d1/4/NxvxiFIa5zGUHgckBQQa/55x5+aa2LPUcVVBW4UPOjaxHRrDjaFGYhFB1Z9 isVRVHqY+cQZBn8agGfiTLduRnvE8+7vMCP/2GmXHdepLmWKbhoJ7AsBDMB6dwWT /BgS7fEa29GHmcV1R4UMkCpiBbO9J6XAVAdLohXZ8o62E4Fxu2U3uDZumPPBOqUU mi0s5SYVXlPfoj7/tuudm7Z9vgk4OW9SAHoUvPNpMP8pY32WkgWVADGMntykdPRs csZhL+9jl9yaSEePFxXv89wHb/KxbP0H3C3kUu/nXRAkrcIbd+bFP99M2Nc7dPm7 fw5lT3gPUmkN1fKjVsV6 =DbB8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
