You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Utkarsh Dave <ut...@gmail.com> on 2014/07/09 12:53:03 UTC
Handshake Failure error !
Hi,
We are running Tomcat 6.0.37 and Java JDK 1.6.0_60
We recently upgraded to JDK 1.6.0_75 and recieved below error at several
places
javax.net.ssl.SSLException: Fatal Alert received: Handshake Failure
We debugged and after analysis found that if we remove below 3 ciphers
suits from server.xml
file
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
The error is no more seen. I need your opinion in order to proceed with the
changes.
1.What will be the effect of removing these cipher?
2. Found this link on ciphers
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
The cipher codes I mentioned above have been marked as 'X'.
Most of the cipher codes mentioned in my server.xml are marked as 'X'. So I
am confused as to am I on correct path of removing these problematic cipher
from server.xml or not.
Can you help in answering the 2 questions above?
Thanks for your help in advance.
-Utkarsh
Re: Handshake Failure error !
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dave,
On 7/9/14, 6:53 AM, Utkarsh Dave wrote:
> We are running Tomcat 6.0.37 and Java JDK 1.6.0_60 We recently
> upgraded to JDK 1.6.0_75 and recieved below error at several
> places javax.net.ssl.SSLException: Fatal Alert received: Handshake
> Failure
In what component? Tomcat's connector, or something in your web
application that makes an HTTPS connection to another service?
Why not move up to a supported version of the JVM?
> We debugged and after analysis found that if we remove below 3
> ciphers suits from server.xml file
>
> TLS_RSA_WITH_AES_256_CBC_SHA
>
> TLS_RSA_WITH_AES_128_CBC_SHA
>
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
>
>
> The error is no more seen.
So explicitly removing those ciphers fixes things?
Please show your <Connector> configuration (minus any passwords) for
both the working and non-working configurations.
> I need your opinion in order to proceed with the changes.
>
> 1.What will be the effect of removing these cipher?
Clients will be unable to connect using those ciphers.
> 2. Found this link on ciphers
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
>
>
>
> The cipher codes I mentioned above have been marked as 'X'.
You might have to find out the exact support for those ciphers in
various patch-levels of the JVM. I would imagine that later versions
of th eJVM would support *more* ciphers and not fewer, but I may be wrong.
> Most of the cipher codes mentioned in my server.xml are marked as
> 'X'. So I am confused as to am I on correct path of removing these
> problematic cipher from server.xml or not.
I think something else might be going on, here.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTxTOhAAoJEBzwKT+lPKRY3NUP/j8tiEQioP2c7AM/p3Tdh6qL
bY1dCblRTFd83zDFnZsItOp1zMY4XguLl+PhbDGzqJ0uFBhxJ6+w7O0f8UwnB9Cz
gYtniqOwK4yaJhrlZSAVlu/4+tumqaJCBek0STiw/4rYixSuWYqi4468I3BXHYlz
4VZ8eCLzepIN7XIy/7pf0cw6tz83x/FPA39+zPc17zoST66ekPunluyKHZpdpssI
J/PTSRqhmkOh473WfcLUUetTIrdjttw6GfiXfuGnprkOfL9fWOCT6ENSzn6PSTWX
JlBXaDuBj2hFsb6xJh8zpDtDxUbqdWuBPXUQxAwS7dL8/x0TMh2I3LK8jps+pqtR
qPbltj5xtSUOzYBRSX/NvJVP3WzWh3o+Nh0LfAFS82etqJjnsm1bKAN40FRdUIW3
nTN1Pg9FvL4GmhVIBECty4SfV/OV00yroseTO4njgCQ/OTobWiwOEy/YK1K6JQSR
qlkVExbQBdl0mgDTRGDm9mQFAsOHLMY3N3ANvwUdr7NbZTfMQYvAYpCLFQjmsTNe
OG1Z2PT9hXD3DkGHrWPM9maKTcSw5wPOiIdqYAT+ESdA2fIsqNuvAVTdCaHr9xwc
N/le3z57IaSuFJ+iTn7cjf/cEbIUkshSjZvABRNoqY3bfNpyp4GjRIssrWHH0U8h
4NR+XXijazypm1M2tRex
=+h3T
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org