-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Vamsi,
On 10/12/17 11:06 AM, Gali, Vamsi A wrote: > This issue is now RESOLVED. Great. > On IHS (IBM HTTP Server, IBM version of Apache Webserver), we only > had 2 TLS ciphers that are no compatible with Tomcat TLV1.2. So I > added '' TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" to IHS httpd.conf > by looking at this: > https://www.ibm.com/support/knowledgecenter/en/SSEQTJ_8.5.5/com.ibm.we bsphere.ihs.doc/ihs/rihs_ciphspec.html > and IHS can communicate with Tomcat W/O any issues. Woohoo! > > The reason I picked the above cipher is because it's one the list > of ciphers tomcat's JVM supports. I would recommend that you configure IHS to support *multiple* cipher suites instead of just the one. I would also recommend using GCM mode instead of CBC mode if you can do so. > Igor, I couldn’t use one of the java based cipher tool so used a > small script to get a list of ciphers available for a jvm(this can > be used for any Linux server as long as openssl is available):> > #!/bin/sh for v in tls1_2; do for c in $(openssl ciphers > 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect > SERVERNAME:https_port \ -cipher $c -$v < /dev/null > /dev/null 2>&1 > && echo -e "$v:\t$c" done done The output of the above command has absolutely nothing to do with the cipher suites Java supports. In order to determine what Java supports, you must use a Java-based tool. (Unless you are using APR, but you are clearly using Java BIO.) > I executed above script to find out a list of ciphers on Tomcat's > jvm and based on that I chose to use > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 on IHS.> I appreciate all the > help on finding me the true issue! Glad you got it done but it's clear there is still some confusion. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngJvYACgkQHPApP6U8 pFgqwBAAngdJEPfKu44DfOrRdfnkjNRNRh8J+xfwEgAwJh+esusDUL/vKyXPffpQ 8HcjkYAq6dWLdEaHSZMYksrK78UrelBLWfdss8WTfDwT82/1lSY1/CpAaO+yK8WF VStRmOdBqHDVdumbAUGZthcvhN5JnIQwril9JfAyofs08VnjhZ4CbSfcKYdKXyIP 0ELbdq8e/4M8cOZcq+99wPFt+V7D037LsHXbd3aPGAk26AFzlEl5uqX4lzsa/k+Q uaO81P4nX5F+3Y2WuE6gfBlRi3xUplW1yQZ73K+Wg3rS7Tgd3b4+V2eKP9GyEuoD zFE8OtfgcjCDv8nlpJKQOQU745VDaFC4y+cteiImhRHgD7OgnXregDxiuaz8RVyB mvIzMbkevySchrWhI/yB5DMmPs33RfyBKsPxOkdhpdQEFQ7HvqKjsFIikcVSS6Um yjMky8JouWZzBLr9FZ+KYjTSZWtxXA1xQiseBS08aWdyUh09NTpBJfE8pn6FBExq 8LxHeKBWCyW3ZNbbKp9cT/thQ4axYbFxhWtJr4UdDM6GYcBVmt1VVarWGfEd8dui PehjgnrkuQF7mCXRWR54mYZp+k28xr1336UTj0OTgUxoyoqpwDoSYfKNn3Bt+/53 otZ8gRFYS0ynWStnQDc4WU9AYXLAPoKdfZUZxdnUYEbAUhlcWOM= =Jsf+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
