Problem getting SSL/TLS to work

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
timhenness
Posts: 1
Joined: Thu Jul 27, 2017 12:46 pm

Problem getting SSL/TLS to work

Post by timhenness » Thu Jul 27, 2017 12:52 pm

I'm able to get Tomcat running, but not with TLS. I'm using Tomcat 8.5.6 and 31-bit Java 8.0 (SR4 FP5) on z/OS 2.2.

This is what I've done to define TLS:

Code: Select all

<Connector port="&sslPort;"
           scheme="https" secure="true" SSLEnabled="true"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
           useServerCipherSuitesOrder="true"
           ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
                    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                    TLS_RSA_WITH_AES_256_CBC_SHA256,
                    TLS_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,,
                    TLS_RSA_WITH_AES_256_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                    TLS_RSA_WITH_AES_128_CBC_SHA"
           keystoreProvider="IBMJCE"
           keystoreType="JCERACFKS"
           keystoreFile="safkeyring://TOMCAT/TOMCATRING"
           keystorePass=""
           useSendfile="false"
           connectionTimeout="20000"
           maxThreads="150" />
When I try to connect I get a "handshake failure" from the server. (I've tried a lot of other variations too, but this comes as close to working as any.)

I don't get any diagnostics on the server side at all. But then I don't get any indications of any other errors that happen (like "404 - Page not found") either. I'm a bit concerned that Tomcat doesn't seem to log anything about any failed requests anyway.

Does anyone have any idea why this might not be working? Or even how I can get some half-way decent diagnotics out of this thing?

Thanks for any help anyone can give.
Tim

Post Reply