Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Fri, 30 Jun 2017 07:21:39 -0700 

Peter Kreuser wrote
>> 
>> Can you provide a clean configuration that exhibits this behavior?
>> 
>> What are you using to test the effective configuration?
> 
> Another question: are you sure that you hit the Connector that you
> configure? Tomcat should be reasonably configured in defaults with a
> current JDK...
> 
> 8443 or the like are not scanned with ssllabs! So it may as well hit an
> apache on the same machine!
> 
> Can you show detail on what ssllabs is complaining about?
> 
> Best regards
> 
> Peter

Thank you Peter and Chris.

I'm utilizing sslabs to check as well as just going to the site with Chrome
and looking in developer tools to see the protocol that was selected.

I understand that 8443 is not a normal port, I'm using ipchains to redirect
traffic from 443 to 8443.  I believe that traffic is specifically hitting
this webserver, as changes such as adding SSL or removing TLS 1.0 in the
configuration file take immediate effect after restarting the Tomcat
service.

My current SSLHostConfig looks like this:

        <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" 
            honorCipherOrder="true" 
            ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_CBC_SHA256, 
TLS_RSA_WITH_AES_256_CBC_SHA, 
TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> 
            <Certificate certificateKeystoreFile="...." 
                certificateKeystorePassword="...." 
                type="RSA" /> 
        </SSLHostConfig>

But ssllabs reports the following ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

None of these ciphers are included in my list, and changes to my cipher list
has no effect at all on what is displayed by ssllabs.

I'm stuck, so any ideas or guidance is appreciated, thank you!
-Todd



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064952.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to