[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.



This just keeps getting weirder.

Late yesterday afternoon, I did a lengthy "stare-and-compare" between what SSLInfo returned for the two different Tomcat servers, and I couldn't find any differences. But then, I got called away from this on something that kept me in the office until after 7 PM.

Finally getting back to it, I looked at the "connector ciphers" on the Tomcat 8 manager (there isn't one on the Tomcat 7 manager), and saw that only 16 of the 36 ciphers that SSLInfo starred as "default" are actually enabled in Tomcat.

Then, using what Mr. Schultz told me about reading cipher names, I compared what actually *does* come up in the Tomcat 8 manager with the DSPSYSVAL on the AS/400. And I found that if
*RSA_AES_256_CBC_SHA
is the same as
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

then maybe we DO have a common cipher, at least in theory (unless "ECDHE" makes it otherwise).

Unfortunately, I can't run the local box's Tomcat server through SSLLabs, because it's on a nonstandard port number, and Tomcat 7 doesn't have a "connector ciphers" button on the manager main page.

The cloud box is a Google Compute Engine instance. Is it possible that Google is somehow vetoing the handshake?

--
JHHL
--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi