You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jo...@wellsfargo.com.INVALID on 2018/01/08 19:34:43 UTC
Why will Tomcat not accept EC cipher suites?
All,
I'm using Tomcat 7.0.82 and java 1.8.0_152.
I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL socket server that uses the same certificate as the server and deployed it on the same machine using the same JDK. It accepts EC ciphers just fine so I don't think there is anything in the JDK that has disabled them, etc. With verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common."
If I omit the "ciphers" property of the connector, I get this:
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
If I set ciphers="ALL," I'm back to "no cipher suites in common."
If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket server, I get "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)."
BTW I have an RSA cert on the server with a 2048-bit key and signed using SHA256withRSA.
One of the connector configs I've tried.
<Connector port="7114"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="400"
maxKeepAliveRequests="100"
keepAliveTimeout="10000"
scheme="https"
secure="true"
clientAuth="true"
sessionCacheSize="5"
sslProtocol="TLS"
keystoreFile="/path/to/keystore"
keystorePass="${keystore.password}"
keyAlias="test"
truststoreFile="/path/to/cacerts"
truststorePass="${truststore.password}"
allowUnsafeLegacyRenegotiation="false"
/>
Thanks
John
Re: Why will Tomcat not accept EC cipher suites?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 1/8/18 6:28 PM, John.E.Gregg@wellsfargo.com.INVALID wrote:
> Chris and Mark,
>> -----Original Message----- From: Christopher Schultz
>> [mailto:chris@christopherschultz.net] Sent: Monday, January 08,
>> 2018 5:21 PM To: users@tomcat.apache.org Subject: Re: Why will
>> Tomcat not accept EC cipher suites?
>>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Mark,
>>
>> On 1/8/18 3:36 PM, Mark Thomas wrote:
>>> On 08/01/18 19:34, John.E.Gregg@wellsfargo.com.INVALID wrote:
>>>> All,
>>>>
>>>> I'm using Tomcat 7.0.82 and java 1.8.0_152.
>>>>
>>>> I cannot get Tomcat to accept elliptic curve ciphers. I've
>>>> written a small SSL socket server that uses the same
>>>> certificate as the server and deployed it on the same machine
>>>> using the same JDK. It accepts EC ciphers just fine so I
>>>> don't think there is anything in the JDK that has disabled
>>>> them, etc. With verbose SSL enabled, Tomcat, however,
>>>> complains about "http-bio-7114-exec-4, handling exception:
>>>> javax.net.ssl.SSLHandshakeException: no cipher suites in
>>>> common."
>>>>
>>>> If I omit the "ciphers" property of the connector, I get
>>>> this:
>>>>
>>>> No available cipher suite for TLSv1 No available cipher suite
>>>> for TLSv1.1 No available cipher suite for TLSv1.2
>>>>
>>>> If I set ciphers="ALL," I'm back to "no cipher suites in
>>>> common."
>>>>
>>>> If I explicitly tell Tomcat to accept
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my
>> socket
>>>> server, I get "No appropriate protocol (protocol is disabled
>>>> or cipher suites are inappropriate)."
>>>>
>>>> BTW I have an RSA cert on the server with a 2048-bit key and
>>>> signed using SHA256withRSA.
>>>>
>>>> One of the connector configs I've tried.
>>>>
>>>> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true"
>>>> maxThreads="400" maxKeepAliveRequests="100"
>>>> keepAliveTimeout="10000" scheme="https" secure="true"
>>>> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS"
>>>> keystoreFile="/path/to/keystore"
>>>> keystorePass="${keystore.password}" keyAlias="test"
>>>> truststoreFile="/path/to/cacerts"
>>>> truststorePass="${truststore.password}"
>>>> allowUnsafeLegacyRenegotiation="false" />
>>>
>>> Try getting it to work without client authentication to start
>>> with.
>>
>> +1
>>
>>> I don't see anything that jumps out as wrong in the above.
>>
>> Also, John, what client are you using to test?
>>
>> - -chris
>
> At Mark's suggestion, I disabled client auth, but it didn't make
> any difference. The handshake fails before it even gets to that
> step.
>
> I'm using several different clients, including HP Performance
> Center, openssl, and a couple of java clients that I wrote myself
> (one uses SSLSocket directly and one uses HttpsUrlConnection.)
>
> Currently I'm looking at the JDK's ServerHandshaker class to make
> sure I understand the log messages.
Are you doing something mundane such as:
$ openssl s_client -connect example.com:8443 ?
I would expect that to be able to negotiate a TLS connection with a
pretty standard Tomcat with TLS enabled (and nothing in particular
specified for ciphers, protocols, etc.).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpUJcYACgkQHPApP6U8
pFiGUw//dGvchPx3LJXppfaY9Uk0QVozT+PhVYnl+tBO06KMszJIuhrPQOVKZP/B
lgmeFWYkFDsP2XwPPYaPmEoN0vMjA5+a0Mgkje3fYanFbyyPHxfhEIJwbruRkWYY
t4suZfemQa5OuaEJ2mfPQS6fxKy7K3+T/RaE16u9MDFKDmnj5qQ0oliKQ5q41RDZ
eyu3mdPIlsfPyDwtC1nq+8Io4DJsGxQJSRhSz0fN3zirgGIo/JqKgPLZxX3jq7Qz
4y+J1ST2sNEXOq7FVAhs0WKdMBebkO1A+Tj5AZmtR+1Q9UT+75pzTk4ZKD0gftpY
hipkqqmCcIYabjf+COO9pIn0kH2YEZIwR0fN0+M6plvW1O7jQaNn4csWaVYSs0c6
TYZeTawtNuR6z15fpUnwkThMEaJQ38aLNMtJIKQW2/R8UnjPvlJGk8TO0Iyo5qg1
ypx46FVWI0Xy/hrwUkprudMJLCymUxZnfeIC4wEV1Gn7Q98Dr2WtFUtPw7Yp7mwW
EYrwYee7GNxHxzvyHXoeJczCOfmVFDOewHVLnNNj1XbYn7j9GbCMpxZWnObar0nz
mbhXfy2hqiMNx9+F/19zBglsAKopRm5FATdZgRAuuYyRvG6G7vZUzHqsKdS1yfHM
T22ydajMZyVGignnwU4Ik8P8OTW6b7pRQZVYqF7gq10GOSP5MmE=
=oljv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why will Tomcat not accept EC cipher suites?
Posted by Jo...@wellsfargo.com.INVALID.
Chris and Mark,
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Monday, January 08, 2018 5:21 PM
> To: users@tomcat.apache.org
> Subject: Re: Why will Tomcat not accept EC cipher suites?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 1/8/18 3:36 PM, Mark Thomas wrote:
> > On 08/01/18 19:34, John.E.Gregg@wellsfargo.com.INVALID wrote:
> >> All,
> >>
> >> I'm using Tomcat 7.0.82 and java 1.8.0_152.
> >>
> >> I cannot get Tomcat to accept elliptic curve ciphers. I've written a
> >> small SSL socket server that uses the same certificate as the server
> >> and deployed it on the same machine using the same JDK. It accepts
> >> EC ciphers just fine so I don't think there is anything in the JDK
> >> that has disabled them, etc. With verbose SSL enabled, Tomcat,
> >> however, complains about "http-bio-7114-exec-4, handling exception:
> >> javax.net.ssl.SSLHandshakeException: no cipher suites in common."
> >>
> >> If I omit the "ciphers" property of the connector, I get this:
> >>
> >> No available cipher suite for TLSv1 No available cipher suite for
> >> TLSv1.1 No available cipher suite for TLSv1.2
> >>
> >> If I set ciphers="ALL," I'm back to "no cipher suites in common."
> >>
> >> If I explicitly tell Tomcat to accept
> >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my
> socket
> >> server, I get "No appropriate protocol (protocol is disabled or
> >> cipher suites are inappropriate)."
> >>
> >> BTW I have an RSA cert on the server with a 2048-bit key and signed
> >> using SHA256withRSA.
> >>
> >> One of the connector configs I've tried.
> >>
> >> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true"
> >> maxThreads="400" maxKeepAliveRequests="100"
> >> keepAliveTimeout="10000" scheme="https" secure="true"
> >> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS"
> >> keystoreFile="/path/to/keystore"
> >> keystorePass="${keystore.password}" keyAlias="test"
> >> truststoreFile="/path/to/cacerts"
> >> truststorePass="${truststore.password}"
> >> allowUnsafeLegacyRenegotiation="false" />
> >
> > Try getting it to work without client authentication to start with.
>
> +1
>
> > I don't see anything that jumps out as wrong in the above.
>
> Also, John, what client are you using to test?
>
> - -chris
At Mark's suggestion, I disabled client auth, but it didn't make any difference. The handshake fails before it even gets to that step.
I'm using several different clients, including HP Performance Center, openssl, and a couple of java clients that I wrote myself (one uses SSLSocket directly and one uses HttpsUrlConnection.)
Currently I'm looking at the JDK's ServerHandshaker class to make sure I understand the log messages.
Thanks
Re: Why will Tomcat not accept EC cipher suites?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/8/18 3:36 PM, Mark Thomas wrote:
> On 08/01/18 19:34, John.E.Gregg@wellsfargo.com.INVALID wrote:
>> All,
>>
>> I'm using Tomcat 7.0.82 and java 1.8.0_152.
>>
>> I cannot get Tomcat to accept elliptic curve ciphers. I've
>> written a small SSL socket server that uses the same certificate
>> as the server and deployed it on the same machine using the same
>> JDK. It accepts EC ciphers just fine so I don't think there is
>> anything in the JDK that has disabled them, etc. With verbose
>> SSL enabled, Tomcat, however, complains about
>> "http-bio-7114-exec-4, handling exception:
>> javax.net.ssl.SSLHandshakeException: no cipher suites in
>> common."
>>
>> If I omit the "ciphers" property of the connector, I get this:
>>
>> No available cipher suite for TLSv1 No available cipher suite for
>> TLSv1.1 No available cipher suite for TLSv1.2
>>
>> If I set ciphers="ALL," I'm back to "no cipher suites in
>> common."
>>
>> If I explicitly tell Tomcat to accept
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket
>> server, I get "No appropriate protocol (protocol is disabled or
>> cipher suites are inappropriate)."
>>
>> BTW I have an RSA cert on the server with a 2048-bit key and
>> signed using SHA256withRSA.
>>
>> One of the connector configs I've tried.
>>
>> <Connector port="7114" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="400" maxKeepAliveRequests="100"
>> keepAliveTimeout="10000" scheme="https" secure="true"
>> clientAuth="true" sessionCacheSize="5" sslProtocol="TLS"
>> keystoreFile="/path/to/keystore"
>> keystorePass="${keystore.password}" keyAlias="test"
>> truststoreFile="/path/to/cacerts"
>> truststorePass="${truststore.password}"
>> allowUnsafeLegacyRenegotiation="false" />
>
> Try getting it to work without client authentication to start
> with.
+1
> I don't see anything that jumps out as wrong in the above.
Also, John, what client are you using to test?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpT/MsdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjrXQ/6A78mHnM8u2MLgcJw
Uugo3S+M7WW7Zb90oV0fUtUbo7bM4nQvz3cjQhkl0Wc57iyph3y87pYtRSgLPWS8
ngeVAQX1STsLKTLwh0rg7EHTfyScvx35a5ytxbK8iAe7dxAjGMYHBno0ksFlfQBm
FAcTYe1HohdND38xRHfXk7ZlyTtPk4Moc4RbrhQH6y7t1m2H/yj0ftDL2ZmFqrLE
JQjdcfDj5qSzWrz6TJ4yBRm4oGcMmuAspgNEMojV/YJKpvSiVR9e/UiDNbTV9vyh
S5xDjH/arGMo08L1ckIsqGQnmzepLFt2WwPt2PQnP0rb/qB1MGlrKEa7WIpqqQum
luIwkp4j5v1VphjovWvLfWgDi5F+eYWUAuCe9mJ4CHpys1tcOk33ef364EZOefjo
D+3+PT6aJ4ovShPBtIUoQ90RSO5WAflZvH+rvxH6kRpxKVH+5j91HAvbJjKECfMZ
AAqZ1E6gDuue3mD1xC3CqDlw0ENHLsEuISntayR/ar9n0KtDPlSBC5iTtR4jYdOT
6ZRlgH0RMHzVlwFqSF40LDFbmGreENhUCdisPcNf+RlWRfUvnSphMR4Sx7/0Bhe3
F6FrCnd00OSsMwhMYkEIjfPz/hPsWgo1tUJu0Cgw7XwIzwaSHKTP0dk/MgDsl85m
4XjOFDGvQ5koTAHl9hFuc8l3ATg=
=eXXo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Why will Tomcat not accept EC cipher suites?
Posted by Mark Thomas <ma...@apache.org>.
On 08/01/18 19:34, John.E.Gregg@wellsfargo.com.INVALID wrote:
> All,
>
> I'm using Tomcat 7.0.82 and java 1.8.0_152.
>
> I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL socket server that uses the same certificate as the server and deployed it on the same machine using the same JDK. It accepts EC ciphers just fine so I don't think there is anything in the JDK that has disabled them, etc. With verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common."
>
> If I omit the "ciphers" property of the connector, I get this:
>
> No available cipher suite for TLSv1
> No available cipher suite for TLSv1.1
> No available cipher suite for TLSv1.2
>
> If I set ciphers="ALL," I'm back to "no cipher suites in common."
>
> If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket server, I get "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)."
>
> BTW I have an RSA cert on the server with a 2048-bit key and signed using SHA256withRSA.
>
> One of the connector configs I've tried.
>
> <Connector port="7114"
> protocol="HTTP/1.1"
> SSLEnabled="true"
> maxThreads="400"
> maxKeepAliveRequests="100"
> keepAliveTimeout="10000"
> scheme="https"
> secure="true"
> clientAuth="true"
> sessionCacheSize="5"
> sslProtocol="TLS"
> keystoreFile="/path/to/keystore"
> keystorePass="${keystore.password}"
> keyAlias="test"
> truststoreFile="/path/to/cacerts"
> truststorePass="${truststore.password}"
> allowUnsafeLegacyRenegotiation="false"
> />
Try getting it to work without client authentication to start with.
I don't see anything that jumps out as wrong in the above.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Why will Tomcat not accept EC cipher suites?
Posted by "Gali, Vamsi A" <va...@keybank.com.INVALID>.
Hello John,
Technically, Java 1.8 provides the ciphers which are used by Tomcat and it definitely supports a lot of EC ciphers: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites
Do you get the HandShakeException when you access the Tomcat directly or using webserver?
Also, I use a small script to get the list of supported ciphers for each Protocol, as below:
------
#!/bin/sh
for v in tls1; do #you can use tls1_1 or tls1_2 in place of tls1, which is the protocol)
for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
openssl s_client -connect TOMCAT-SEREVE:HTTPS-Port \
-cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
done
done
---------
Thank you,
Vamsi Gali
-----Original Message-----
From: John.E.Gregg@wellsfargo.com.INVALID [mailto:John.E.Gregg@wellsfargo.com.INVALID]
Sent: Monday, January 08, 2018 2:35 PM
To: users@tomcat.apache.org
Subject: Why will Tomcat not accept EC cipher suites?
All,
I'm using Tomcat 7.0.82 and java 1.8.0_152.
I cannot get Tomcat to accept elliptic curve ciphers. I've written a small SSL socket server that uses the same certificate as the server and deployed it on the same machine using the same JDK. It accepts EC ciphers just fine so I don't think there is anything in the JDK that has disabled them, etc. With verbose SSL enabled, Tomcat, however, complains about "http-bio-7114-exec-4, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common."
If I omit the "ciphers" property of the connector, I get this:
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
If I set ciphers="ALL," I'm back to "no cipher suites in common."
If I explicitly tell Tomcat to accept TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, which works with my socket server, I get "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)."
BTW I have an RSA cert on the server with a 2048-bit key and signed using SHA256withRSA.
One of the connector configs I've tried.
<Connector port="7114"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="400"
maxKeepAliveRequests="100"
keepAliveTimeout="10000"
scheme="https"
secure="true"
clientAuth="true"
sessionCacheSize="5"
sslProtocol="TLS"
keystoreFile="/path/to/keystore"
keystorePass="${keystore.password}"
keyAlias="test"
truststoreFile="/path/to/cacerts"
truststorePass="${truststore.password}"
allowUnsafeLegacyRenegotiation="false"
/>
Thanks
John
This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information.
127 Public Square, Cleveland, OH 44114
If you prefer not to receive future e-mail offers for products or services from Key
send an e-mail to mailto:DNERequests@key.com with 'No Promotional E-mails' in the
SUBJECT line.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org