-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens,
On 1/22/2010 12:51 PM, Jens Neu wrote: > Christopher, > > maybe that was a bit premature, running with > SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2": > > openssl s_client -ssl2 -connect server:8443 > CONNECTED(00000003) > --- > SSL handshake has read 1135 bytes and written 236 bytes > --- > New, SSLv2, Cipher is DES-CBC3-MD5 > Server public key is 1024 bit > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : SSLv2 > Cipher : DES-CBC3-MD5 > Session-ID: 21D7302FAF313F61DF24661249FCF7FD > Session-ID-ctx: > Master-Key: 3CAC5F9B8889222FFF7E1106232BFE34FC7A2CBD078833E0 > Key-Arg : 448CA2E3F880EF06 > Start Time: 1264182312 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- :( > --- > Ciphers common between both SSL endpoints: > RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 > EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 In my environment, openssl reports: $ openssl ciphers 'SSLv2'| sed -e 's/:/\n/g' DES-CBC3-MD5 <- you got this one DES-CBC-MD5 EXP-RC2-CBC-MD5 RC2-CBC-MD5 EXP-RC4-MD5 RC4-MD5 Looks like all those are the same ones, meaning that 100% of the openssl SSLv2 ciphers are available from Tomcat. Stupid question: did you re-start Tomcat after making the SSLCipher change? Again, here's what I get for the cipher string we've been trying: $ openssl ciphers 'ALL:!SSLv2:+HIGH:+MEDIUM'| sed -e 's/:/\n/g' ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EDH-RSA-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 I don't see any of the SSLv2 ciphers in there except for RC4-MD5, which I suppose would still allow you to connect. One thing I noticed is that your cipher string is not valid: $ openssl ciphers '-ALL:+HIGH:+MEDIUM:!SSLv2'| sed -e 's/:/\n/g' Error in cipher list 16374:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1185: You have to have something without - or + prefixing it. Apparently, you have to start with a list before you start modifying it :) Try the string I have above and see if that works. RC4-MD5 might still work, though. You should take a look at this guy's tool, here: http://www.unspecific.com/2009/02/16/ssl-cipher-check Our production server's httpd is configured to use "HIGH:MEDIUM:-SSLv2" and the results of the above script confirm that only decent ciphers are available: $ ./ssl-cipher-check.pl [mysite] Testing [mysite]:443 SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits SSLv3:RC4-SHA - ENABLED - STRONG 128 bits SSLv3:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits SSLv3:AES128-SHA - ENABLED - STRONG 128 bits SSLv3:AES256-SHA - ENABLED - STRONG 256 bits TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits TLSv1:RC4-SHA - ENABLED - STRONG 128 bits TLSv1:DHE-RSA-AES256-SHA - ENABLED - STRONG 256 bits TLSv1:AES128-SHA - ENABLED - STRONG 128 bits TLSv1:AES256-SHA - ENABLED - STRONG 256 bits *WARNING* 6 WEAK Ciphers Enabled. Total Ciphers Enabled: 22 I was unable to verify that any WEAK ciphers were enabled, and I cound 16 enabled ciphers, not 22. So, maybe this script isn't the greatest thing around :) With "HIGH:MEDIUM:-SSLv2", I cannot connect using "openssl s_client - -ssl2", which is a good thing. Try a different/better cipher string. Always check against "openssl cipher" to make sure that it's kosher before enabling it in your server. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ8nkACgkQ9CaO5/Lv0PBLDwCfa3ESeJCygI42yQ2jGQ0YUoZO IPsAnju+4lL4lNWuF6TnG6B5cW8EzPNe =9+YO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
