[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Porter, Andrew Andrew_Porter at bmc.com
Tue Jun 6 15:33:06 UTC 2017


Thanks Steven for pointing me in the right direction: when I switched to an EC/ECDSA key for tomcat then openssl could connect using ECDHE-ECDSA-AES256-GCM-SHA384.

But only after installing the unlimited strength policy files on the server, with the defaults the best was ECDHE-ECDSA-AES128-GCM-SHA256.

Andrew

From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Steven Collison
Sent: Tuesday, June 06, 2017 07:30
To: openssl-users at openssl.org
Cc: openssl-dev at openssl.org
Subject: Re: [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers


As a sanity check, are you using an ECDSA certificate on your Tomcat server? ECDHE-ECDSA-AES256-GCM-SHA384 can’t be negotiated without one. Perhaps you can try
openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher “ECDHE-RSA-AES256-GCM-SHA384” if you’re using an RSA cert.

-Steven

On 3 Jun 2017, at 22:01, Pravesh Rai wrote:

Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
& server (Java 1.8 with Tomcat), still getting following handshake error,
while executing:

"openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 28 ......(
<<< TLS 1.2 [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the
connection.

Any clue on this?

Thanks,
PR
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Dusers&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=rM-xapYCunnmjke6suxLaVU8krc3wfCZvRQxfT87RRc&m=E9RTp_nB68n9DCD_f0OiM165NBTgKk7sApgOSnM1L7Q&s=znUch5G2tNF3MmxunH-Q2x43BWNm4u0_nB1EnB6hKnU&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170606/f0b41744/attachment.html>


More information about the openssl-users mailing list