You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/03/17 07:10:10 UTC
[Bug 57718] New: None of the ciphers specified are supported by the
SSL engine
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
Bug ID: 57718
Summary: None of the ciphers specified are supported by the SSL
engine
Product: Tomcat Connectors
Version: unspecified
Hardware: Other
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: Common
Assignee: dev@tomcat.apache.org
Reporter: shekargm@gmail.com
Hi
We are using Tomcat as webserver.
We set the tomcat connector like this
connector = new Connector("HTTP/1.1");
connector.setPort(httpsPort);
connector.setSecure(true);
connector.setProperty("clientAuth", "false");
connector.setAllowTrace(false);
connector.setProperty("server", "Server Hardware Management Console");
connector.setEnableLookups(true); // -27
connector.setProperty("SSLEnabled", "true");
connector.setProperty("backlog", "10");
connector.setProperty("maxThreads", "75");
connector.setProperty("minSpareThreads", "5");
connector.setProperty("maxSpareThreads", "20");
connector.setProperty("soTimeout", "20000");
connector.setScheme("https");
connector.setProperty("algorithm", KeyManagerFactory
.getDefaultAlgorithm());
connector.setProperty("keystoreFile", CertUtils
.getConfiguredKeyStoreFileName());
connector.setProperty("keystorePass", "password");
connector.setProperty("keystoreType", "JKS");
if("nist_sp800_131a".equals(sm.getSecurityMode())){
connector.setProperty("sslProtocol", "TLSv1.2");
}else{
connector.setProperty("sslProtocol", "TLS");
connector.setProperty("sslEnabledProtocols","TLSv1,TLSv1.1,TLSv1.2");
}
connector.setProperty("ciphers", sm.getCiphers());
<<<<<<<<<<<<<<<<<----------------------- Here we set the Cipher.
tomcat.getService().addConnector(connector);
commonSystem.setListeningOnHttps(true);
This is the Cipher list we have and we set the below Cipher to Tomcat (
Check the above code.)
availablTLSv11CipherList.add("TLS_RSA_WITH_AES_128_CBC_SHA");
availablTLSv11CipherList.add("TLS_RSA_WITH_3DES_EDE_CBC_SHA");
availablTLSv11CipherList.add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA");
availablTLSv11CipherList.add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA");
availablTLSv11CipherList.add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA");
availablTLSv12CipherList.add("TLS_RSA_WITH_AES_128_CBC_SHA256");
availablTLSv12CipherList.add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
);
availablTLSv12CipherList.add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256");
availablTLSv12CipherList.add("TLS_RSA_WITH_AES_128_GCM_SHA256");
availablTLSv12CipherList.add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
);
I am using the Cipher list starting with TLS for ex:
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", Earlier everything was
working fine, but after Tomcat update to 7.0.59 from 7.0.29, I see that if I
set the above Cipher
list I am getting below error
WARNING: None of the ciphers specified are supported
by the SSL engine : TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DS
S_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_W
ITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DH
E_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_R
SA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SH
A,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_
SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WI
TH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WIT
H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_
ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS
_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128
_GCM_SHA256,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128
_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH
_AES_128_GCM_SHA256,TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES
_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_
If I set the Cipher name to SSL it works. I mean to say Instead of
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" to
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. I want to know why this
behaviour got changed.
We are using IBM JAVA 6.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
--- Comment #5 from Chandu <sh...@gmail.com> ---
Can you please answer this question
When we were using tomcat 7.0.29 , This same set of ciphers use to work.
I have upgraded tomcat to 7.0.59 and now I am not able to establish socket
connection. Because I am getting Warning as "none of the cipher is supported "
So My question is does BIO Connector will not use default JVM cipher list when
"none of the ciphers is supported " in tomcat 7.0.59?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
--- Comment #3 from Chuck Caldarale <ch...@unisys.com> ---
What part of the following did you not understand?
"Bugzilla is not a support forum. If you have any further questions, they
belong on the users mailing list."
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
Chandu <sh...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|critical |blocker
Priority|P2 |P1
CC| |shekargm@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
--- Comment #4 from Chandu <sh...@gmail.com> ---
Hi
1. When we were using tomcat 7.0.29 , This same set of ciphers use to work.
I have upgraded tomcat to 7.0.59 and now I am not able to establish socket
connection. Because I am getting Warning as "none of the cipher is supported "
So My question is does BIO Connector will not use default cipher list when
"none of the ciphers is supported " in tomcat 7.0.59? This behaviour is
different from 7.0.29 where it was connecting using default cipher.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
--- Comment #2 from Chandu <sh...@gmail.com> ---
Hi
I have a small question here
1. When we were using tomcat 7.0.29 , This same set of ciphers use to work. I
guess it was using default ciphers if none of the ciphers is supported.
I have upgraded tomcat to 7.0.59 and now I am not able to establish socket
connection. Because none of the cipher is supported , Is it the design it will
not allow default cipher list when none of the user set cipher is supported,
in latest tomcat ?
Thanks
Chandu
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
See bug 54406.
IBM uses SSL_XXX for all it ciphers although it will accept TLS_XXX. When
Tomcat compares the available ciphers against the requested ciphers it can't
tell that SSL_XXX and TLS_XXX are the same.
Bugzilla is not a support forum. If you have any further questions, they belong
on the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 57718] None of the ciphers specified are supported by the SSL
engine
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=57718
--- Comment #6 from Chuck Caldarale <ch...@unisys.com> ---
(In reply to Chandu from comment #5)
> Can you please answer this question
We'll do this one more time before suspending your account:
Bugzilla is not a support forum. If you have any further questions, they belong
on the users mailing list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org