1

We have a client who is using what appears (to me, from reading the running.txt) to be tomcat 7.0. The problem is, is that it cannot appear to negotiate a cipher to use with the browser when an ssl connection is requested.

The connector section from server.xml:

<Connector SSLEnabled="true" acceptCount="100" algorithm="SunX509" 
    ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" 
    clientAuth="false" disableUploadTimeout="true" enableLookups="false" 
    keystoreFile="conf\tomcat.jks" keystorePass="password" keystoreType="MyType" 
    maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="3601" 
    protocol="HTTP/1.1" scheme="https" secure="true" 
    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSL" sslImplementationName="com.corestreet.tomcat.net.SSLImplementation" sslProtocol="TLS"/>

I have tried various entries in the ciphers attribute (taken from here), all with no success. The one mentioned above fails with (when the secure page is requested):

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-3601-Acceptor-0, setSoTimeout(60000) called
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
http-bio-3601-exec-9, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-9, SEND TLSv1 ALERT:  fatal, description = handshake_failure
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-9, WRITE: TLSv1 Alert, length = 2
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
[Raw write]: length = 7
0000: Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-3601-Acceptor-0, setSoTimeout(60000) called
15 03 01 00 02 02 28      No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
http-bio-3601-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
   Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-10, SEND TLSv1 ALERT:  fatal, description = handshake_failure
http-bio-3601-exec-10, WRITE: TLSv1 Alert, length = 2
                      ......(
http-bio-3601-exec-9, called closeSocket()
[Raw write]: length = 7
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-9, IOException in getSession():  javax.net.ssl.SSLHandshakeException: No appropriate protocol
http-bio-3601-exec-9, called close()
http-bio-3601-exec-9, called closeInternal(true)
0Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
000: 15Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 03Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 01 00Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 02Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
02 28               Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
   http-bio-3601-Acceptor-0, setSoTimeout(60000) called
             ......(
http-bio-3601-exec-10, called closeSocket()
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
http-bio-3601-exec-11, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
http-bio-3601-exec-10, IOException in getSession():  javax.net.ssl.SSLHandshakeException: No appropriate protocol
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-10, called close()
http-bio-3601-exec-10, called closeInternal(true)
http-bio-3601-exec-11, SEND TLSv1 ALERT:  fatal, description = handshake_failure
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-11, WRITE: TLSv1 Alert, length = 2
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
[Raw write]: length = 7
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0000: 15Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 03Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
 01 00 02 02 28 Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-3601-Acceptor-0, setSoTimeout(60000) called
                              ......(
http-bio-3601-exec-11, called closeSocket()
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2
http-bio-3601-exec-12, handling exception: javax.net.ssl.SSLHandshakeException: No appropriate protocol
http-bio-3601-exec-11, IOException in getSession():  javax.net.ssl.SSLHandshakeException: No appropriate protocol
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-11, called close()
http-bio-3601-exec-11, called closeInternal(true)
http-bio-3601-exec-12, SEND TLSv1 ALERT:  fatal, description = handshake_failure
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
http-bio-3601-exec-12, WRITE: TLSv1 Alert, length = 2
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28                               ......(
http-bio-3601-exec-12, called closeSocket()
http-bio-3601-exec-12, IOException in getSession():  javax.net.ssl.SSLHandshakeException: No appropriate protocol
http-bio-3601-exec-12, called close()
http-bio-3601-exec-12, called closeInternal(true)

I don't understand why there are so many "Ignoring unavailable cipher suite" lines, nor do I understand how I would intelligently go about selecting one to use. What has been missed here?

Jon
  • 1,675
  • 26
  • 57
  • 1
    A common reason for discarding such a number of cipher suites would be that fact that an appropriate cert+private key cannot be loaded (wrong keystore, keystore without private key entry, ...). That said, this connector is visibly using its own `SSLImplementation`: `sslImplementationName="com.corestreet.tomcat.net.SSLImplementation"`: impossible to say for sure what's going on without looking at its code. – Bruno Mar 05 '15 at 19:47
  • 2
    Just to reinforce what @Bruno wrote: you have specified an ECDSA ciphersuite. Does `conf\tomcat.jks` contain an ECDSA private key? – President James K. Polk Mar 05 '15 at 22:53
  • We are now suspecting a key issue after removing many of the customizations and still seeing the same error. – Jon Mar 09 '15 at 16:34
  • @Jon: I have a SSL handshake problem which is similar to the one you describe (http://stackoverflow.com/questions/40770758/getting-sslhandshakeexception-when-using-dropbox-java-sdk-for-api-v2). Have you found a solution to your problem? – xpages-noob Nov 25 '16 at 21:51
  • No, we never got any further with it. Sadly, I also don't know if it was ever resolved. – Jon Nov 28 '16 at 21:18
  • Maybe this helps ? https://stackoverflow.com/questions/44405437/jms-connection-handshake-is-failing-for-sslciphersuite-ssl-rsa-with-3des-ede-cbc/44409938#44409938 – Axel Podehl Jun 13 '17 at 17:03

0 Answers0