You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim Whittington <ti...@apache.org> on 2013/03/03 23:18:03 UTC
Re: Tomcat does not accept connections from Safari on iPad vs an SSL
connector with JSSE ciphers
On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco
<gi...@eppesuigoccas.homedns.org> wrote:
[...]
> I listed all providers here:
> http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html
> as you may see, a few of them are TLS_RSA and TLS_DHE:
> * TLS_RSA_WITH_AES_128_CBC_SHA
> * TLS_RSA_WITH_AES_256_CBC_SHA
> * TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> * TLS_DHE_DSS_WITH_AES_256_CBC_SHA
> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> * TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>
> They are also listed as "default" ciphers, so -- if I understood what
> default means -- they should not be enabled explicitly.
>
> They overlap with those client ciphers:
> TLS_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_AES_256_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>
> Is there any possibility that some of those server ciphers are disabled
> because of the algorithm used in the server certificate? Its signature
> algorithm is SHA1withDSA. I created it with this command line:
> keytool -genkeypair -alias tomcat -keystore ~tomcat6/.keystore
Yes.
If the server keys are DSA, then only cipher suites using DSS/*DSA
will be negotiated.
In this case, the only DSS cipher suite that your client appears to
support is TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6
or 7.
> A side note: is it possibile to put tomcat behind a web server and make
> the latter encrypt in SSL? This would imply that communication between
> the web server and tomcat would be in clear, but how do I create the
> connector proxy* information? I may specify proxyName and proxyPort, but
> I cannot specify proxyProtocol. Is this right?
>
tim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat does not accept connections from Safari on iPad vs an
SSL connector with JSSE ciphers
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tim,
On 3/3/13 4:18 PM, Tim Whittington wrote:
> On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco
> <gi...@eppesuigoccas.homedns.org> wrote: [...]
>
>> I listed all providers here:
>> http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html
>>
>>
as you may see, a few of them are TLS_RSA and TLS_DHE:
>> * TLS_RSA_WITH_AES_128_CBC_SHA *
>> TLS_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>
>> They are also listed as "default" ciphers, so -- if I understood
>> what default means -- they should not be enabled explicitly.
>>
>> They overlap with those client ciphers:
>> TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>
>> Is there any possibility that some of those server ciphers are
>> disabled because of the algorithm used in the server certificate?
>> Its signature algorithm is SHA1withDSA. I created it with this
>> command line: keytool -genkeypair -alias tomcat -keystore
>> ~tomcat6/.keystore
>
> Yes. If the server keys are DSA, then only cipher suites using
> DSS/*DSA will be negotiated. In this case, the only DSS cipher
> suite that your client appears to support is
> TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6 or 7.
Good catch. I recently tried to get a DSA key to work *at all* with
Apache httpd and I simply could not. I didn't try too hard, honestly,
because I didn't really care.
My recommendation would be to stick with an RSA key unless you have
some specific reason not to use one (and I'd like to hear that reason).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlE1QFIACgkQ9CaO5/Lv0PCdOQCdFA1+Yp3tgWYuzZp39wndEwyF
aUkAmgLH2S+B6sH/ilgAJkCSsSTI/2xm
=JDLH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org