[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

[Porter, Andrew]

Running sslscan against Tomcat 8.0.43 / Oracle Java 8u121 and a Tomcat server.xml containing

ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"

shows the strongest cipher is

ECDHE-RSA-AES128-GCM-SHA256

Installing the Java unlimited strength policy files increases this to

ECDHE-RSA-AES256-GCM-SHA384

sslscan did not report any ECDSA ciphers from tomcat even when I changed the ciphers in server.xml to include them, even though a test Java program that enumerates supported ciphers did list (unlimited strength policy files)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

So your openssl connect line below always failed for me.

Andrew

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Pravesh Rai
Sent: Saturday, June 03, 2017 22:02
To: openssl-dev at openssl.org
Cc: openssl-users at openssl.org
Subject: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k) & server (Java 1.8 with Tomcat), still getting following handshake error, while executing:

"openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 28                              ......(
<<< TLS 1.2  [length 0005]
    15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
    02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the connection.

Any clue on this?

Thanks,
PR
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170605/edb01c61/attachment.html>