Re: Tomcat 7.0.69 SSL handshake/cipher Issues with JDK 1.6 clients

Fri, 29 Jul 2016 08:39:31 -0700 

This is a configuration question that belongs on the users list, not the
dev list.

Mark


On 29/07/2016 16:06, Bryan Anderson wrote:
> I have spent the past few days troubleshooting an SSL handshake issue with 
> JDK 1.6 clients connecting to SOAP Web Services running on Tomcat 7.0.69/JDK 
> 1.7.0_101/RHEL 6.7.  These clients worked fine with Tomcat 7.0.68, so I 
> checked the change log for 7.0.69.  It mentions:
> 
> Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to this 
> currently considered secure. (markt)
> 
> We are configured to use the AprLifecycleListener for our SSL Listener.  
> 
> What is occurring is the Web Service clients who run JDK 1.6 (both Oracle and 
> IBM clients experience this) cannot connect because none of the ciphers 
> Tomcat presents are supported.  In Tomcat 7.0.68 (and 8.0.36), the following 
> cipher gets selected through SSL negotiation for JDK 1.6 clients:  
> SSL_RSA_WITH_AES_128_CBC_SHA.
> 
> I compared the source code from .68 and .69, and found this change in 
> JSSESocketFactory.java - Line 200-208:
> 
> // Remove kRSA ciphers when running on Java 7 or above. Can't
> // remove them for Java 6 since they are likely to be the only
> // ones left
> if (JreCompat.isJre7Available() &&
>         (cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_") ||
>          cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_"))) {
>     log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
>     continue;
> }
> 
> This code appears to remove the working cipher used for JDK 1.6 clients - 
> SSL_RSA_WITH_AES_128_CBC_SHA.  This code only considers the JRE Tomcat is 
> running, but does not/cannot consider what JRE the client is using.  I tested 
> this with a JDK 1.7 client and it works fine because they select the 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher.  This may not be an issue for 
> UI/Browser Apps or applications connecting through a Web Server, but it has a 
> signifiant impact on Java-based Web Service clients.  I could not find any 
> work arounds other then to revert to Tomcat 7.0.68 and plan to upgrade to 
> Tomcat 8 in the near future.  
> 
> Hoping this is something that can either be removed or configured in future 
> releases.
> 
> Thanks much for your support!
> 
> Bryan Anderson 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to