Problem getting SSL/TLS to work
Posted: Thu Jul 27, 2017 12:52 pm
I'm able to get Tomcat running, but not with TLS. I'm using Tomcat 8.5.6 and 31-bit Java 8.0 (SR4 FP5) on z/OS 2.2.
This is what I've done to define TLS:
When I try to connect I get a "handshake failure" from the server. (I've tried a lot of other variations too, but this comes as close to working as any.)
I don't get any diagnostics on the server side at all. But then I don't get any indications of any other errors that happen (like "404 - Page not found") either. I'm a bit concerned that Tomcat doesn't seem to log anything about any failed requests anyway.
Does anyone have any idea why this might not be working? Or even how I can get some half-way decent diagnotics out of this thing?
Thanks for any help anyone can give.
Tim
This is what I've done to define TLS:
Code: Select all
<Connector port="&sslPort;"
scheme="https" secure="true" SSLEnabled="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA"
keystoreProvider="IBMJCE"
keystoreType="JCERACFKS"
keystoreFile="safkeyring://TOMCAT/TOMCATRING"
keystorePass=""
useSendfile="false"
connectionTimeout="20000"
maxThreads="150" />
I don't get any diagnostics on the server side at all. But then I don't get any indications of any other errors that happen (like "404 - Page not found") either. I'm a bit concerned that Tomcat doesn't seem to log anything about any failed requests anyway.
Does anyone have any idea why this might not be working? Or even how I can get some half-way decent diagnotics out of this thing?
Thanks for any help anyone can give.
Tim