Hello John, Technically, Java 1.8 provides the ciphers which are used by Tomcat and it definitely supports a lot of EC ciphers: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites Do you get the HandShakeException when you access the Tomcat directly or using webserver?
Also, I use a small script to get the list of supported ciphers for each Protocol, as below: ------ #!/bin/sh for v in tls1; do #you can use tls1_1 or tls1_2 in place of tls1, which is the protocol) for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect TOMCAT-SEREVE:HTTPS-Port \ -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c" done done --------- Thank you, Vamsi Gali -----Original Message----- From: john.e.gr...@wellsfargo.com.INVALID [mailto:john.e.gr...@wellsfargo.com.INVALID] Sent: Monday, January 08, 2018 2:35 PM To: users@tomcat.apache.org Subject: Why will Tomcat not accept EC cipher suites? All, I'm using Tomcat 7.0.82 and java 1.8.0_152. I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL socket server that uses the same certificate as the server and deployed it on the same machine using the same JDK. It accepts EC ciphers just fine so I don't think there is anything in the JDK that has disabled them, etc. With verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common." If I omit the "ciphers" property of the connector, I get this: No available cipher suite for TLSv1 No available cipher suite for TLSv1.1 No available cipher suite for TLSv1.2 If I set ciphers="ALL," I'm back to "no cipher suites in common." If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket server, I get "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)." BTW I have an RSA cert on the server with a 2048-bit key and signed using SHA256withRSA. One of the connector configs I've tried. <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="400" maxKeepAliveRequests="100" keepAliveTimeout="10000" scheme="https" secure="true" clientAuth="true" sessionCacheSize="5" sslProtocol="TLS" keystoreFile="/path/to/keystore" keystorePass="${keystore.password}" keyAlias="test" truststoreFile="/path/to/cacerts" truststorePass="${truststore.password}" allowUnsafeLegacyRenegotiation="false" /> Thanks John This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org