I just got finished going through 20 other customer Tomcat installations
we administer.
First, I found that most of them were accepting the DHE ciphers I'd
disabled on the problem installation, and SSLLabs was giving them bad
ratings for doing so.
Second, I found that two of the other installations were accepting the
ECDHE ciphers I'd disabled, and yet they were working just fine in
Chrome 60 (one of them still on a "test" certificate that was
self-signed, wrong domain, and expired! -- we can encourage them to pick
a CA, and let us help them install a signed cert, but we can't MAKE them
do it).
That one is running on an AS/400 at V7R3, with a JVM that IDs in Manager
as "jvmap3270sr10fp1-20170215_012.6"; the other one that's working fine
with the ECDHE certs active is an AS/400 at V7R1, with a JVM that IDs as
"jvmap3260sr16fp15-20151029_01."
In all cases, SSL is via JSSE, not OpenSSL (we've never even heard of
anybody getting Tomcat running via OpenSSL on an AS/400).
Could it be that the browser is trying to use the ECDHE ciphers, and
something in the OS or the JVM is blowing up when it tries to use them?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
