[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

Steven Collison steven at raycoll.com
Tue Jun 6 14:29:53 UTC 2017


As a sanity check, are you using an ECDSA certificate on your Tomcat 
server? ECDHE-ECDSA-AES256-GCM-SHA384 can’t be negotiated without one. 
Perhaps you can try
`openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher 
“ECDHE-RSA-AES256-GCM-SHA384”` if you’re using an RSA cert.


-Steven

On 3 Jun 2017, at 22:01, Pravesh Rai wrote:

> Hi,
>
> Even though I've disabled SSLvX protocols on both - client 
> (openssl-1.0.2k)
> & server (Java 1.8 with Tomcat), still getting following handshake 
> error,
> while executing:
>
> "openssl s_client -connect a.b.c.d:<port> -msg -debug -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384"
>
>
> ...
> read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
> 0000 - 15 03 03 00 02 02 28                              ......(
> <<< TLS 1.2  [length 0005]
>     15 03 03 00 02
> <<< TLS 1.2 Alert [length 0002], fatal handshake_failure
>     02 28
> 14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
> handshake failure:.\ssl\s23_clnt.c:769:
> ...
>
> And, such error happens, only when ECDHE ciphers are selected during 
> the
> connection.
>
> Any clue on this?
>
> Thanks,
> PR
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170606/5ad6aec4/attachment-0001.html>


More information about the openssl-users mailing list