Sorry, the Tomcat will connect to other web applications hosted somewhere else in your network? Is my understanding correct?
On Fri, Jul 7, 2017 at 12:38 AM, Kevin Mango <kma...@nysif.com> wrote: > Hello, > > I have been working to setup Apache Tomcat 8.5.15 to establish a secure > connection to web applications on our server. However I have been having > difficulties setting up this functionality. > > The most meaningful error we have been getting is from Firefox, > "Unsupported elliptic curve. Error code: > SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE". > We have setup Tomcat to fully debug javax.net, and from these logs it > appears that the handshake is failing at the server or client key > exchanges. Below is the output after reaching the server key exchange: > > ECDH ServerKeyExchange > Signature Algorithm SHA256withRSA > Server key: <key value> > *** ServerHelloDone > [write] MD5 and SHA1 hashes: len = 5073 > <Large block of hex> > https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073 > [Raw write]: length = 5078 > <Large block of hex> > https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073 > [Raw write]: length = 5078 > <Large block of hex> > [Raw read]: length = 2 > <small block of hex> > <Large block of hex> > https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2 > https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, illegal_parameter > https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Received fatal alert: illegal_parameter > https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLException: Received fatal alert: illegal_parameter > https-jsse-nio-8443-exec-5, called closeOutbound() > https-jsse-nio-8443-exec-5, closeOutboundInternal() > https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description = > close_notify > https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, length = 2 > ------------------------------------------------------------ > ------------------------------------------------------------ > ------------------------------------------------------------ > -------------------------- > There isn't any error output from stderr, only standard print statements. > The ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. > Below are some details about the machine we are running tomcat on: > > Windows Server 2012 R2 64 bit > 16gb ram > 2.2ghz intel xeon cpu > Java 1.8.131 > > Here is the connector in our server.xml file: > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > defaultSSLHostConfigName="<hostname> " > > > <SSLHostConfig > hostname="<hostname> " > protocols="TLSv1.2" > sslProtocol="TLSv1.2"> > <Certificate certificateKeystoreFile="<pfx cert location and > full file name>" > certificateKeystorePassword="<password>" > certificateKeystoreType="PKCS12" > type="RSA"/> > </SSLHostConfig> > > </Connector> > > Some additional notes: > > 1. The server we are running this on is internal and therefore can't be > accessed outside our network > 2. The web browser on the machine is unable to access the web > application locally due to our network security > 3. I am able to connect via http to the web apps > > Any assistance that could be provided in this matter would be greatly > appreciated. > > Thank you, > Kevin > > > > ________________________________ > This e-mail transmission contains confidential information that is the > property of the sender. If you are not the intended recipient, you are > notified that any retention, disclosure, reproduction or distribution of > the contents of this e-mail transmission, or the taking of any action in > reliance thereon or pursuant thereto, is strictly prohibited. No warranty > is given by NYSIF that this e-mail is free of viruses, interception or > interference. NYSIF disclaims liability for any unauthorized opinion, > representation, statement, offer or contract made by the sender on behalf > of NYSIF. NYSIF's delegation of authorities, setting out who may make > representations or contract on behalf of NYSIF, is available by contacting > NYSIF at mail...@nysif.com. Jurisdiction for all actions arising out of > dealings with NYSIF shall lie only in a court of competent jurisdiction of > the State of New York > -- Guang <http://javadevnotes.com/java-double-to-string-2-decimal-places-examples/>