On 04/27/2017 10:57 AM, Kreuser, Peter wrote:
Hi (WhoEverYouMayBe - you may want to sign with a name???),
Server version: Apache Tomcat/8.5.11
Server built: Jan 10 2017 21:02:52 UTC
Server number: 8.5.11.0
OS Name: Linux
OS Version: 3.10.0-514.16.1.el7.x86_64
Architecture: amd64
Java Home: /usr/java/jdk1.8.0_121/jre
JVM Version: 1.8.0_121-b13
JVM Vendor: Oracle Corporation
CATALINA_BASE: /opt/apache-tomcat-8.5.11
CATALINA_HOME: /opt/apache-tomcat-8.5.11
Command line argument:
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Command line argument: -Duser.timezone=US/Eastern
Command line argument: -Xms128m
Command line argument: -Xmx1024m
Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
Command line argument: -Djavax.net.debug=ssl:handshake
Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp
Have tested this with both 8.5.11 and 8.5.14.
There are NO logged Exceptions or errors.
Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and
TLSv1.2
Not being able to turn off TLSv1.0 results in PCI compliance problems.
Each SSLHostConfig needs to be able to support different ciphers, since
some sites are PCI and some sites support legacy data interfaces.
I couldn't exactly figure out the expected syntax for the protocols, so
I tried... (9.0 style)
protocols="+TLSv1.1+TLSv1.2"
protocols="+TLSv1.1,+TLSv1.2"
protocols="+TLSv1.1 +TLSv1.2"
protocols="-TLSv1+TLSv1.1+TLSv1.2"
protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"
ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig
style). These ciphers are NOT in the ciphers list.
TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH sect571r1
(eq. 15360 bits RSA) FS
server.xml Connector snippet (old style - don't get TLSv1.0)
<Connector executor="tomcatThreadPool"
address="192.168.52.13" port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector executor="tomcatThreadPool"
address="192.168.52.13" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="./conf/keystore.jks" keystorePass="mypass"
keyAlias="myalias1"
clientAuth="false"
useServerCipherSuitesOrder="true"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
(etc)
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
<Connector executor="tomcatThreadPool"
address="192.168.52.15" port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector executor="tomcatThreadPool"
address="192.168.52.15" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="./conf/keystore.jks" keystorePass="mypass"
keyAlias="myalias2"
clientAuth="false"
useServerCipherSuitesOrder="true"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
(etc)
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
<Connector address="192.168.52.11" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" scheme="https" secure="true"
defaultSSLHostConfigName="www.mydomain1.com"
maxThreads="150" compression="false" enableLookups="false" >
<SSLHostConfig hostName="www.mydomain1.com">
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="mypass"
certificateKeyAlias="mydomain1.com"
type="RSA" />
honorCipherOrder="true"
protocols="+TLSv1.1+TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
(etc)
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
</SSLHostConfig>
<SSLHostConfig hostName="www.mydomain2.com">
<Certificate certificateKeystoreFile="conf/keystore.jks"
certificateKeystorePassword="mypass"
certificateKeyAlias="mydomain2.com"
type="RSA" />
honorCipherOrder="true"
protocols="+TLSv1.1+TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
(etc)
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
</SSLHostConfig>
Thanks in advanced for your help !!!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Apparently the following works, and from my understanding openssl- and
java-syntax are supported from 8.5. onwards.
sslEnabledProtocols="TLSv1.1, TLSv1.2" <-- if java is used
protocols="TLSv1.1+TLSv1.2"<-- if openssl is used
I didn't use sslEnabledProtocols as it shows as NIO and NIO2 (deprecated)
tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2
I had read somewhere in the docs that the Connector was being made to
use generic terms that would work for both JSSE and OpenSS, so I stayed
away from the older terminology.
I will try as you have suggested.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="on"
scheme="https"
server="Apache Tomcat"
secure="true"
defaultSSLHostConfigName="xxx" >
<SSLHostConfig honorCipherOrder="true"
certificateVerification="false"
protocols="TLSv1.1+TLSv1.2"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"
>
</SSLHostConfig>
I guess the (etc) is very interesting to know to be able to find the culprit of
this finding.
Didn't think it was important since it was the exact same list of
ciphers used with the same Tomcat version using the non-SNI Connector
syntax.
honorCipherOrder="true"
protocols="TLSv1.1, TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
Also, why does the system require OpenSSL ciphers ? I'm using NIO witht
JSSEImplementation. Wouldn't that mean JSSE cipher suite names ?
When I look here...
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext
it shows the names are all as I am using.
When I look at my catalina.out with -Djavax.net.debug=ssl:handshake it
currently shows the negotiated cipher as...
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Wouldn't that mean I'm using JSSE standard ciphers ? I'm using Java
1.8 (Oracle flavor).
Thank you for taking the time to review this,
Dan Morrison
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
