-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 1/8/18 3:36 PM, Mark Thomas wrote: > On 08/01/18 19:34, john.e.gr...@wellsfargo.com.INVALID wrote: >> All, >> >> I'm using Tomcat 7.0.82 and java 1.8.0_152. >> >> I cannot get Tomcat to accept elliptic curve ciphers. I've >> written a small SSL socket server that uses the same certificate >> as the server and deployed it on the same machine using the same >> JDK. It accepts EC ciphers just fine so I don't think there is >> anything in the JDK that has disabled them, etc. With verbose >> SSL enabled, Tomcat, however, complains about >> "http-bio-7114-exec-4, handling exception: >> javax.net.ssl.SSLHandshakeException: no cipher suites in >> common." >> >> If I omit the "ciphers" property of the connector, I get this: >> >> No available cipher suite for TLSv1 No available cipher suite for >> TLSv1.1 No available cipher suite for TLSv1.2 >> >> If I set ciphers="ALL," I'm back to "no cipher suites in >> common." >> >> If I explicitly tell Tomcat to accept >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket >> server, I get "No appropriate protocol (protocol is disabled or >> cipher suites are inappropriate)." >> >> BTW I have an RSA cert on the server with a 2048-bit key and >> signed using SHA256withRSA. >> >> One of the connector configs I've tried. >> >> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="400" maxKeepAliveRequests="100" >> keepAliveTimeout="10000" scheme="https" secure="true" >> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS" >> keystoreFile="/path/to/keystore" >> keystorePass="${keystore.password}" keyAlias="test" >> truststoreFile="/path/to/cacerts" >> truststorePass="${truststore.password}" >> allowUnsafeLegacyRenegotiation="false" /> > > Try getting it to work without client authentication to start > with. +1 > I don't see anything that jumps out as wrong in the above. Also, John, what client are you using to test? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/MsdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXQ/6A78mHnM8u2MLgcJw Uugo3S+M7WW7Zb90oV0fUtUbo7bM4nQvz3cjQhkl0Wc57iyph3y87pYtRSgLPWS8 ngeVAQX1STsLKTLwh0rg7EHTfyScvx35a5ytxbK8iAe7dxAjGMYHBno0ksFlfQBm FAcTYe1HohdND38xRHfXk7ZlyTtPk4Moc4RbrhQH6y7t1m2H/yj0ftDL2ZmFqrLE JQjdcfDj5qSzWrz6TJ4yBRm4oGcMmuAspgNEMojV/YJKpvSiVR9e/UiDNbTV9vyh S5xDjH/arGMo08L1ckIsqGQnmzepLFt2WwPt2PQnP0rb/qB1MGlrKEa7WIpqqQum luIwkp4j5v1VphjovWvLfWgDi5F+eYWUAuCe9mJ4CHpys1tcOk33ef364EZOefjo D+3+PT6aJ4ovShPBtIUoQ90RSO5WAflZvH+rvxH6kRpxKVH+5j91HAvbJjKECfMZ AAqZ1E6gDuue3mD1xC3CqDlw0ENHLsEuISntayR/ar9n0KtDPlSBC5iTtR4jYdOT 6ZRlgH0RMHzVlwFqSF40LDFbmGreENhUCdisPcNf+RlWRfUvnSphMR4Sx7/0Bhe3 F6FrCnd00OSsMwhMYkEIjfPz/hPsWgo1tUJu0Cgw7XwIzwaSHKTP0dk/MgDsl85m 4XjOFDGvQ5koTAHl9hFuc8l3ATg= =eXXo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org