[openssl-dev] [openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers
Steven Collison
steven at raycoll.com
Tue Jun 6 14:29:53 UTC 2017
As a sanity check, are you using an ECDSA certificate on your Tomcat
server? ECDHE-ECDSA-AES256-GCM-SHA384 can’t be negotiated without one.
Perhaps you can try
`openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher
“ECDHE-RSA-AES256-GCM-SHA384”` if you’re using an RSA cert.
-Steven
On 3 Jun 2017, at 22:01, Pravesh Rai wrote:
> Hi,
>
> Even though I've disabled SSLvX protocols on both - client
> (openssl-1.0.2k)
> & server (Java 1.8 with Tomcat), still getting following handshake
> error,
> while executing:
>
> "openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384"
>
>
> ...
> read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
> 0000 - 15 03 03 00 02 02 28 ......(
> <<< TLS 1.2 [length 0005]
> 15 03 03 00 02
> <<< TLS 1.2 Alert [length 0002], fatal handshake_failure
> 02 28
> 14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:.\ssl\s23_clnt.c:769:
> ...
>
> And, such error happens, only when ECDHE ciphers are selected during
> the
> connection.
>
> Any clue on this?
>
> Thanks,
> PR
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170606/5ad6aec4/attachment.html>
More information about the openssl-dev
mailing list