1) don't top-post
On 07.07.2017 02:39, Guang Chao wrote:
Sorry, the Tomcat will connect to other web applications hosted somewhere
else in your network? Is my understanding correct?
On Fri, Jul 7, 2017 at 12:38 AM, Kevin Mango <kma...@nysif.com> wrote:
Hello,
I have been working to setup Apache Tomcat 8.5.15 to establish a secure
connection to web applications on our server. However I have been having
difficulties setting up this functionality.
The most meaningful error we have been getting is from Firefox,
"Unsupported elliptic curve. Error code: SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE".
We have setup Tomcat to fully debug javax.net, and from these logs it
appears that the handshake is failing at the server or client key
exchanges. Below is the output after reaching the server key exchange:
ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: <key value>
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 5073
<Large block of hex>
https-jsse-nio-8443-exec-3, WRITE: TLSv1.2 Handshake, length = 5073
[Raw write]: length = 5078
<Large block of hex>
https-jsse-nio-8443-exec-1, WRITE: TLSv1.2 Handshake, length = 5073
[Raw write]: length = 5078
<Large block of hex>
[Raw read]: length = 2
<small block of hex>
<Large block of hex>
https-jsse-nio-8443-exec-5, READ: TLSv1.2 Alert, length = 2
https-jsse-nio-8443-exec-5, RECV TLSv1.2 ALERT: fatal, illegal_parameter
https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
https-jsse-nio-8443-exec-5, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
https-jsse-nio-8443-exec-5, called closeOutbound()
https-jsse-nio-8443-exec-5, closeOutboundInternal()
https-jsse-nio-8443-exec-5, SEND TLSv1.2 ALERT: warning, description =
close_notify
https-jsse-nio-8443-exec-5, WRITE: TLSv1.2 Alert, length = 2
------------------------------------------------------------
------------------------------------------------------------
------------------------------------------------------------
--------------------------
There isn't any error output from stderr, only standard print statements.
The ciphersuite that is chosen is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
Below are some details about the machine we are running tomcat on:
Windows Server 2012 R2 64 bit
16gb ram
2.2ghz intel xeon cpu
Java 1.8.131
Here is the connector in our server.xml file:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
defaultSSLHostConfigName="<hostname> "
>
<SSLHostConfig
hostname="<hostname> "
protocols="TLSv1.2"
sslProtocol="TLSv1.2">
<Certificate certificateKeystoreFile="<pfx cert location and
full file name>"
certificateKeystorePassword="<password>"
certificateKeystoreType="PKCS12"
type="RSA"/>
</SSLHostConfig>
</Connector>
Some additional notes:
1. The server we are running this on is internal and therefore can't be
accessed outside our network
2. The web browser on the machine is unable to access the web
application locally due to our network security
3. I am able to connect via http to the web apps
Any assistance that could be provided in this matter would be greatly
appreciated.
Thank you,
Kevin
2) One thing which you could/should try first, is to look at the Tomcat User's
list archives.
See : http://tomcat.apache.org/lists.html -> tomcat users -> archives
There is a considrable amount of correspondence there related to such themes, and the
answer you are looking for is probably already there.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
