[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ftpapi] BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

From: "James H. H. Lampert" <jamesl@xxxxxxxxxxxxxxxxx>
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>, HTTPAPI and FTPAPI Projects <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Subject: [Ftpapi] BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Date: Fri, 06 Oct 2017 15:34:14 -0700

On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote:

It might help to think of it like this:

There are the ciphers that a JVM supports.
The JVM only enables sub-set of the supported ciphers are enabled by
default.
Tomcat with a default configuration only uses a sub-set of the ciphers
that the JVM enables by default.
. . .
It looks like you have an incompatible set of ciphers configured.

As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA is the
least worse option. The Java name for this is:
TLS_RSA_WITH_AES_256_CBC_SHA

I should have tried this DAYS ago. There is also a Tomcat 7 serverinstalled on the Google Cloud server. With no apparent differences inthe Java list of available and "enabled-by-default" ciphers between thetwo boxes, it's clear that the biggest single difference that I'mactually able to do anything about is which Tomcat server is running on 443.

So with both Tomcat servers shut down, I switched Tomcat 7 over to port443, brought it up, and tried connecting to it from the same program asbefore.

This time, I got a 404. Not the least bit surprising, since the webappcontext isn't actually installed on the Tomcat 7 server.

Incidentally, I also tried running the ssllabs.com test on the Tomcat 7server. The results weren't very meaningful: it only listed the ECDHEsuites, but then again, it only listed the ECDHE suites when I tried iton one of our other Tomcat 7 servers.


> Tomcat with a default configuration only uses a sub-set of the ciphers
> that the JVM enables by default.

So is there a way, short of downloading and recompiling Tomcat myself,to control what's in that default subset of a default subset?

Or failing that, is there a way, in my connector tag, to specify "UseTLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites Tomcat 8.5uses by default"?

Or do I need to list all the Tomcat 8.5 defaults in a "ciphers" clause,along with the TLS_RSA_WITH_AES_256_CBC_SHA?

Noting that my connector tag is written using Tomcat 7 connector syntax,is there a good example of how to code a ciphers clause for that tag?


--
JHHL
--
_______________________________________________
Ftpapi mailing list
Ftpapi@xxxxxxxxxxxxxxxxxxxxxx
http://scottklement.com/mailman/listinfo/ftpapi

References:
- [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
  - From: James H. H. Lampert
- Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
  - From: James H. H. Lampert
- Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
  - From: James H. H. Lampert
- Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
  - From: James H. H. Lampert
- Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
  - From: James H. H. Lampert

Prev by Date: [Ftpapi] (no subject)
Next by Date: Re: [Ftpapi] (no subject)
Previous by thread: Re: [Ftpapi] Problem: (GSKit) No compatible cipher suite available between SSL end points.
Next by thread: Re: [Ftpapi] BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Index(es):
- Date
- Thread