I believe this is an oversight/bug in the source code and there is no way to
correct it with configuration. Are you sure it doesn’t belong here?
> On Jul 29, 2016, at 10:39 AM, Mark Thomas <ma...@apache.org> wrote:
>
> This is a configuration question that belongs on the users list, not the
> dev list.
>
> Mark
>
>
> On 29/07/2016 16:06, Bryan Anderson wrote:
>> I have spent the past few days troubleshooting an SSL handshake issue with
>> JDK 1.6 clients connecting to SOAP Web Services running on Tomcat 7.0.69/JDK
>> 1.7.0_101/RHEL 6.7. These clients worked fine with Tomcat 7.0.68, so I
>> checked the change log for 7.0.69. It mentions:
>>
>> Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to this
>> currently considered secure. (markt)
>>
>> We are configured to use the AprLifecycleListener for our SSL Listener.
>>
>> What is occurring is the Web Service clients who run JDK 1.6 (both Oracle
>> and IBM clients experience this) cannot connect because none of the ciphers
>> Tomcat presents are supported. In Tomcat 7.0.68 (and 8.0.36), the following
>> cipher gets selected through SSL negotiation for JDK 1.6 clients:
>> SSL_RSA_WITH_AES_128_CBC_SHA.
>>
>> I compared the source code from .68 and .69, and found this change in
>> JSSESocketFactory.java - Line 200-208:
>>
>> // Remove kRSA ciphers when running on Java 7 or above. Can't
>> // remove them for Java 6 since they are likely to be the only
>> // ones left
>> if (JreCompat.isJre7Available() &&
>> (cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_") ||
>> cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_"))) {
>> log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
>> continue;
>> }
>>
>> This code appears to remove the working cipher used for JDK 1.6 clients -
>> SSL_RSA_WITH_AES_128_CBC_SHA. This code only considers the JRE Tomcat is
>> running, but does not/cannot consider what JRE the client is using. I
>> tested this with a JDK 1.7 client and it works fine because they select the
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher. This may not be an issue for
>> UI/Browser Apps or applications connecting through a Web Server, but it has
>> a signifiant impact on Java-based Web Service clients. I could not find any
>> work arounds other then to revert to Tomcat 7.0.68 and plan to upgrade to
>> Tomcat 8 in the near future.
>>
>> Hoping this is something that can either be removed or configured in future
>> releases.
>>
>> Thanks much for your support!
>>
>> Bryan Anderson
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
