Hello, I have been working to setup Apache Tomcat 8.5.15 to establish a secure connection to web applications on our server. However I have been having difficulties setting up this functionality.
The most meaningful error we have been getting is from Firefox, "Unsupported elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE". We have setup Tomcat to fully debug javax.net, and from these logs it appears that the handshake is failing at the server or client key exchanges. Below is the output after reaching the server key exchange: ECDH ServerKeyExchange Signature Algorithm SHA256withRSA Server key: <key value> *** ServerHelloDone [write] MD5 and SHA1 hashes: len = 5073 <Large block of hex> https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073 [Raw write]: length = 5078 <Large block of hex> https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073 [Raw write]: length = 5078 <Large block of hex> [Raw read]: length = 2 <small block of hex> <Large block of hex> https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2 https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, illegal_parameter https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: illegal_parameter https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: illegal_parameter https-jsse-nio-8443-exec-5, called closeOutbound() https-jsse-nio-8443-exec-5, closeOutboundInternal() https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description = close_notify https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, length = 2 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- There isn't any error output from stderr, only standard print statements. The ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Below are some details about the machine we are running tomcat on: Windows Server 2012 R2 64 bit 16gb ram 2.2ghz intel xeon cpu Java 1.8.131 Here is the connector in our server.xml file: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" defaultSSLHostConfigName="<hostname> " > <SSLHostConfig hostname="<hostname> " protocols="TLSv1.2" sslProtocol="TLSv1.2"> <Certificate certificateKeystoreFile="<pfx cert location and full file name>" certificateKeystorePassword="<password>" certificateKeystoreType="PKCS12" type="RSA"/> </SSLHostConfig> </Connector> Some additional notes: 1. The server we are running this on is internal and therefore can't be accessed outside our network 2. The web browser on the machine is unable to access the web application locally due to our network security 3. I am able to connect via http to the web apps Any assistance that could be provided in this matter would be greatly appreciated. Thank you, Kevin ________________________________ This e-mail transmission contains confidential information that is the property of the sender. If you are not the intended recipient, you are notified that any retention, disclosure, reproduction or distribution of the contents of this e-mail transmission, or the taking of any action in reliance thereon or pursuant thereto, is strictly prohibited. No warranty is given by NYSIF that this e-mail is free of viruses, interception or interference. NYSIF disclaims liability for any unauthorized opinion, representation, statement, offer or contract made by the sender on behalf of NYSIF. NYSIF's delegation of authorities, setting out who may make representations or contract on behalf of NYSIF, is available by contacting NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of dealings with NYSIF shall lie only in a court of competent jurisdiction of the State of New York