You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "capt.spock" <yp...@gmail.com> on 2016/11/01 20:33:49 UTC
tomcat 7.0.54 /jdk 1.8 - only TLS_RSA_* ciphers work
Stumped with this issue...environment tomcat 7.054 with openjdk version
"1.8.0_111" OpenJDK Runtime Environment (build 1.8.0_111-b15)
Couple of servers with below config in server.xml throws warning in
Catalina and browsers have issue connecting.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
/>
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Nov 01, 2016 1:15:39 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory
getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine :
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-9443"]
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-9009"]
Nov 01, 2016 1:15:39 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 567 ms
Nov 01, 2016 1:15:39 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Nov 01, 2016 1:15:39 PM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.54
Any pointers will help in troubleshooting this issue.
Thanks!
Daba
Re: tomcat 7.0.54 /jdk 1.8 - only TLS_RSA_* ciphers work
Posted by Mark Thomas <ma...@apache.org>.
On 01/11/2016 20:40, Christopher Schultz wrote:
> Daba,
>
> On 11/1/16 4:33 PM, capt.spock wrote:
>> Stumped with this issue...environment tomcat 7.054 with openjdk
>> version "1.8.0_111" OpenJDK Runtime Environment (build
>> 1.8.0_111-b15)
>
>> Couple of servers with below config in server.xml throws warning
>> in Catalina and browsers have issue connecting.
>
<snip/>
>> Any pointers will help in troubleshooting this issue.
>
> Does this discussion help at all?
>
> http://markmail.org/thread/fefvkflhzfaqom2m
In addition to Chris's hint, this might help you confirm what is happening:
http://people.apache.org/~markt/dev/TLSInfo.java
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat 7.0.54 /jdk 1.8 - only TLS_RSA_* ciphers work
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daba,
On 11/1/16 4:33 PM, capt.spock wrote:
> Stumped with this issue...environment tomcat 7.054 with openjdk
> version "1.8.0_111" OpenJDK Runtime Environment (build
> 1.8.0_111-b15)
>
> Couple of servers with below config in server.xml throws warning
> in Catalina and browsers have issue connecting.
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
>
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AE
S_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WIT
H_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_
WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WI
TH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA
_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_EC
DSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_E
CDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_
ECDSA_WITH_AES_128_CBC_SHA"
>
>
/>
>
> INFO: The APR based Apache Tomcat Native library which allows
> optimal performance in production environments was not found on
> the java.library.path:
> /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Nov
> 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init INFO:
> Initializing ProtocolHandler ["http-bio-8080"] Nov 01, 2016 1:15:39
> PM org.apache.coyote.AbstractProtocol init INFO: Initializing
> ProtocolHandler ["http-bio-8443"] Nov 01, 2016 1:15:39 PM
> org.apache.tomcat.util.net.jsse.JSSESocketFactory
> getEnableableCiphers WARNING: None of the ciphers specified are
> supported by the SSL engine :
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM
_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128
_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_
256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_25
6_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES
_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_
AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH
_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WIT
H_AES_128_CBC_SHA
>
>
Nov 01, 2016 1:15:39 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-bio-8009"] Nov 01, 2016
> 1:15:39 PM org.apache.coyote.AbstractProtocol init INFO:
> Initializing ProtocolHandler ["http-bio-9443"] Nov 01, 2016 1:15:39
> PM org.apache.coyote.AbstractProtocol init INFO: Initializing
> ProtocolHandler ["ajp-bio-9009"] Nov 01, 2016 1:15:39 PM
> org.apache.catalina.startup.Catalina load INFO: Initialization
> processed in 567 ms Nov 01, 2016 1:15:39 PM
> org.apache.catalina.core.StandardService startInternal INFO:
> Starting service Catalina Nov 01, 2016 1:15:39 PM
> org.apache.catalina.core.StandardEngine startInternal INFO:
> Starting Servlet Engine: Apache Tomcat/7.0.54
>
> Any pointers will help in troubleshooting this issue.
Does this discussion help at all?
http://markmail.org/thread/fefvkflhzfaqom2m
Obligatory lists.a.o link:
https://lists.apache.org/thread.html/df063b1d0e86985c01dabf89a3152faf155
4047f7b120b5b7ec3b0a5@%3Cusers.tomcat.apache.org%3E
(I'm not yet a fan of lists.a.o when compared to markmail... sorry, guys
.)
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJYGP2yAAoJEBzwKT+lPKRYnn8P/in5/kBxgj+OkMSlph7kWEWn
/RoElMnW0ZwPJz/62cXJ2ilaAONngwNYZbjbmcag2+JsgNlU1ZhRkUkK/Ux7EEdn
5JDbuw+kleseZ/9oStY/M6EJxoT2PjUmqC774ub28riJTFzokwIPQpPez/L5D7rs
KOc0zGq2SFXnDTmRa0qRYFWwx6IiV6wc2ifdJtPQNvbnedNtWEkVPZCiKB4KVpZZ
f67hNnv2TH+tic6VOhaw2kDj1sSeSHfnTwGY9ti1ml4x129zfhpnX41Mx/m9eoiC
pCQV1+ojCstM5CaK/jiSgx/qpLYdlZFw50oKdEubXH6mRrJ1qTj5XJlyf2oSczGH
VRpH3j+1S+NXZDihu8OYwjJPgHgiXuHBeP+t92UE2+JrVZ4ke+J+31RuMOsTEaP3
i6SFln8D0Cc7qUNxHlV5hvSunz3rtTiPvrY28dZeqDFY8eR2uf6woNV3MsCfIm4V
p4I1b0JWyD/XzZLDQH16rruWTzalZKzMC+Xa1PWT+sWr8wTm5MoT2c9p9p4hV+fS
Slj9P+fesk5djxfZojC/d1H+Nj5AHtXQFponng8CSi/jnm7L3JSQ1O9u9Ok8bD87
9HJl5tH7wKC0gj4XTxtt21nmcrZm6NNugqjZDqSyTqyzppu9rSVS9vewB65PuAgP
Ct/U6RLxz5z/EfYfnQOH
=jhXr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org