On 29 July 2016 17:05:43 BST, Bryan Anderson <bryanander...@icloud.com> wrote:
>I believe this is an oversight/bug in the source code and there is no
>way to correct it with configuration. Are you sure it doesn’t belong
>here?
This is neither an oversight nor a bug.
As such there is nothing to correct.
Users remain free to configure the ciphers of their choosing.
I am positive this belongs on the users' list.
Mark
>> On Jul 29, 2016, at 10:39 AM, Mark Thomas <ma...@apache.org> wrote:
>>
>> This is a configuration question that belongs on the users list, not
>the
>> dev list.
>>
>> Mark
>>
>>
>> On 29/07/2016 16:06, Bryan Anderson wrote:
>>> I have spent the past few days troubleshooting an SSL handshake
>issue with JDK 1.6 clients connecting to SOAP Web Services running on
>Tomcat 7.0.69/JDK 1.7.0_101/RHEL 6.7. These clients worked fine with
>Tomcat 7.0.68, so I checked the change log for 7.0.69. It mentions:
>>>
>>> Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR)
>to this currently considered secure. (markt)
>>>
>>> We are configured to use the AprLifecycleListener for our SSL
>Listener.
>>>
>>> What is occurring is the Web Service clients who run JDK 1.6 (both
>Oracle and IBM clients experience this) cannot connect because none of
>the ciphers Tomcat presents are supported. In Tomcat 7.0.68 (and
>8.0.36), the following cipher gets selected through SSL negotiation for
>JDK 1.6 clients: SSL_RSA_WITH_AES_128_CBC_SHA.
>>>
>>> I compared the source code from .68 and .69, and found this change
>in JSSESocketFactory.java - Line 200-208:
>>>
>>> // Remove kRSA ciphers when running on Java 7 or above. Can't
>>> // remove them for Java 6 since they are likely to be the only
>>> // ones left
>>> if (JreCompat.isJre7Available() &&
>>> (cipher.toUpperCase(Locale.ENGLISH).startsWith("TLS_RSA_") ||
>>> cipher.toUpperCase(Locale.ENGLISH).startsWith("SSL_RSA_")))
>{
>>> log.debug(sm.getString("jsse.excludeDefaultCipher", cipher));
>>> continue;
>>> }
>>>
>>> This code appears to remove the working cipher used for JDK 1.6
>clients - SSL_RSA_WITH_AES_128_CBC_SHA. This code only considers the
>JRE Tomcat is running, but does not/cannot consider what JRE the client
>is using. I tested this with a JDK 1.7 client and it works fine
>because they select the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA cipher.
>This may not be an issue for UI/Browser Apps or applications connecting
>through a Web Server, but it has a signifiant impact on Java-based Web
>Service clients. I could not find any work arounds other then to
>revert to Tomcat 7.0.68 and plan to upgrade to Tomcat 8 in the near
>future.
>>>
>>> Hoping this is something that can either be removed or configured in
>future releases.
>>>
>>> Thanks much for your support!
>>>
>>> Bryan Anderson
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: dev-h...@tomcat.apache.org
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
