-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote: > I wrote: >>> I mean, I know that I need to get HTTPAPI and Tomcat speaking >>> the same language, but where do I begin? > Here's what I got back when I ran the SSLLabs server test on the > cloud server: > >> Protocols TLS 1.3 No TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 >> Yes SSL 3 No SSL 2 No > >> Cipher Suites # TLS 1.2 (server has no preference) >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 128 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 128 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 256 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 256 # TLS 1.1 (server has no >> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH >> secp521r1 (eq. 15360 bits RSA) FS 128 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 256 # TLS 1.0 (server has no >> preference) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH >> secp521r1 (eq. 15360 bits RSA) FS 128 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 >> (eq. 15360 bits RSA) FS 256 > > On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the > operating system's SSL support (which was how I thought it worked), > and directed to look through the system values to see what it > supports. What I found was: > > QSSLPCL *SEC Secure sockets layer protocols >> *OPSYS > (which I'm pretty sure means that all OS-supported protocols are > available; they can also be individually specified as any or all > of *TLSV1, *SSLV3, and *SSLV2) > > QSSLCSL *SEC Secure sockets layer cipher specification > list >> *RSA_AES_128_CBC_SHA *RSA_RC4_128_SHA *RSA_RC4_128_MD5 >> *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA *RSA_DES_CBC_SHA >> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 *RSA_NULL_SHA >> *RSA_NULL_MD5 > > and unfortunately, IBM doesn't backport new cipher suites to older > OS releases. Looks like your server only has ECDHE-based suites available, and the client supports none of those. Can you post your <Connector> configuration from conf/server.xml? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVIfEdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjzgRAAjCWH+md+/fyVZn83 E6TiieaqXHOkD2CSWkgXk0nmG1+Vj2Llf6S/IYblNGeKZw+QY0tSTYVu57z5qE+Q Hu2bf8o45xJ2QE+GZXbjkknCd+dz1TAyEAwHLAGsgbdhOUSCaeaLCNkk48kN7yoT H0Y+KKuihHPrDsGJyErM8JUcN591UfBCFQOu44ACU0YaiSmhu6WzEDoDVKY5KitK kdijejhT55gOkLHUDkwLLgimAEdcRpSSy4NlCitJ2GuXEglBW7mYxnz9aMTC/Pye JYA9VQvbkPXJQZmX+509H8cXei0AVCtv3hSRW3BsQHsopzGiqy7dGznWq206omd5 5KckRzS5e7dIxyIM3Rt4zg27BDMeA4QEPvO+ADYb7OenYIVAKHi8EvqDgRwAzVYt t+d79NZVmNl3ISc8Quau+Pjklx9ihgqQXANDQDQoaK0BK/+IGwGHANIbkDxo6WK0 o6cK1iodG0+/eKE8X9cwCIW/xt1pKuXZlKbjE3ZbUHpDWJb2vVYjBowMJ/S7foGm OlCXeRky99JCckxztxz19glAviokzrL70DwvOSBkyMFZP6ml08byD7S6hxOi8Gk8 iw9EtCnF98fvWbFRzAp43ngBpWNDlNYTwBAqk759wPM7LHiiLejJ1jWM9iOOkw+O 2A1YRhrorJdUMXFRshZbsi9se8U= =JfBi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org