[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #25 from Ralf Hauser  ---
see also bug 53481 for SSLHonorCipherOrder (alias for the honorCipherOrder) as
per
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig

somehow with the current debian stable (tomcat 8.0.14)

https://www.ssllabs.com/ssltest/analyze.html?d=www.privasphere.com=on
 

still claims "Cipher Suites (sorted by strength as the server has no
preference..."

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

Ognjen Blagojevic ognjen.d.blagoje...@gmail.com changed:

   What|Removed |Added

 Status|RESOLVED|CLOSED

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

Violeta Georgieva violet...@apache.org changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|REOPENED|RESOLVED

--- Comment #23 from Violeta Georgieva violet...@apache.org ---
Thanks for the patch.
The fix will be available for 7.0.61 onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #24 from Ognjen Blagojevic ognjen.d.blagoje...@gmail.com ---
7.0.61 works as expected. Thank you.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

Ognjen Blagojevic ognjen.d.blagoje...@gmail.com changed:

   What|Removed |Added

 Resolution|FIXED   |---
 Status|RESOLVED|REOPENED

--- Comment #21 from Ognjen Blagojevic ognjen.d.blagoje...@gmail.com ---
Refactoring in r1662994 broke the support for 7.0.x. It introduced several
issues:

1. Inverted if condition in AbstractEndpoint.testServerCipherSuitesOrderSupport
(fixed in r1669346).


2. Steps in AbstractEndpoint.configureUseServerCipherSuitesOrder:

  (a) SSLParameters sslParameters = engine.getSSLParameters();
  (b) sslParameters.setUseCipherSuitesOrder(boolean)
  (c) engine.setSSLParamters(sllParameters)

were refactored omitting step (c).


3. Steps in JSSESocketFactory.configureUseServerCipherSuitesOrder:

  (a) SSLParameters sslParameters = socket.getSSLParameters();
  (b) sslParameters.setUseCipherSuitesOrder(boolean)
  (c) socket.setSSLParamters(sllParameters)

were refactored omitting step (c).

I'm preparing the patch for issues 2. and 3.

-Ognjen

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #22 from Ognjen Blagojevic ognjen.d.blagoje...@gmail.com ---
Created attachment 32611
  -- https://bz.apache.org/bugzilla/attachment.cgi?id=32611action=edit
Patch to add setters for SSLParameters

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #19 from Christopher Schultz ch...@christopherschultz.net ---
Support for BIO connector added in Tomcat 8.0.x in r1662632.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

Christopher Schultz ch...@christopherschultz.net changed:

   What|Removed |Added

 Resolution|--- |FIXED
 Status|NEW |RESOLVED

--- Comment #20 from Christopher Schultz ch...@christopherschultz.net ---
Fixed in Tomcat 7.0.x in r1662633.
Will be in Tomcat 7.0.60.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #17 from Christopher Schultz ch...@christopherschultz.net ---
Fixed in trunk in r1662614.

I'll start preparing a patch for Tomcat 8.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #18 from Christopher Schultz ch...@christopherschultz.net ---
Fixed in Tomcat 8.0.x in r1662627.
Will be in Tomcat 8.0.21.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #16 from Ognjen Blagojevic ognjen.d.blagoje...@gmail.com ---
Created attachment 32407
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=32407action=edit
Patch to add useServerCipherSuitesOrder to NIO and NIO2 connectors

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

Ognjen Blagojevic ognjen.d.blagoje...@gmail.com changed:

   What|Removed |Added

  Component|Connectors  |Connectors
Version|trunk   |unspecified
Product|Tomcat 8|Tomcat 9
   Target Milestone||-

--- Comment #15 from Ognjen Blagojevic ognjen.d.blagoje...@gmail.com ---
Chris,

(In reply to Christopher Schultz from comment #14)
 Ognjen, if you are still willing to produce a patch, consider writing it
 against trunk, which will require Java 8 so won't need the reflection. If we
 decide to back-port to Tomcat 8, the reflection can be re-introduced.

Ok. I will attach patch for Tomcat 9. As you suggested:

1. Parameter name is useServerCipherSuitesOrder insted of useCipherSuitesOrder.
2. Code is deduplicated / moved to superclass.

To test it:

(1) Install JDK 1.8.0
(2) Install Java 8 JCE Unlimited Strength
(3) Apply patch, build Tomcat
(4) Add JSSE Connector configuration to server.xml:

Connector port=443 
   protocol=org.apache.coyote.http11.Http11NioProtocol
   SSLEnabled=true
   maxThreads=150 
   scheme=https 
   secure=true
   clientAuth=false 
   sslProtocol=TLS 
   useServerCipherSuitesOrder=true
   ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,  
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA 
 /

(5) Start Tomcat. Forward Secrecy is enabled (on all clients that support it)

To test with NIO2, just replace Http11NioProtocol with Http11Nio2Protocol.

-Ognjen

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #14 from Christopher Schultz ch...@christopherschultz.net ---
Ognjen, if you are still willing to produce a patch, consider writing it
against trunk, which will require Java 8 so won't need the reflection. If we
decide to back-port to Tomcat 8, the reflection can be re-introduced.

Are you still able to update the patch?

(In reply to Ralf Hauser from comment #13)
 Please implement this feature also for non-APR connectors A.S.A.P. - I think
 it is even worthwhile to backport to Tomcat 7!

This enhancement request is specifically targeted towards the non-APR
connectors. The APR connector already supports this capability via the
SSLHonorCipherOrder setting.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

Ralf Hauser hau...@acm.org changed:

   What|Removed |Added

 CC||hau...@acm.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #13 from Ralf Hauser hau...@acm.org ---
getting as many clients to choose a forward-secret cipher even if their makers
didn't think of putting forward-secret ciphers highest priority is important in
today's world of massive eaves-dropping.

Please implement this feature also for non-APR connectors A.S.A.P. - I think it
is even worthwhile to backport to Tomcat 7!

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

Neale Rudd ne...@metawerx.net changed:

   What|Removed |Added

 CC||ne...@metawerx.net

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

Jens Borgland jens.borgl...@gmail.com changed:

   What|Removed |Added

 CC||jens.borgl...@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #11 from Christopher Schultz ch...@christopherschultz.net ---
Ognjen, I have a couple of further comments about your proposed patch. I'm
leaning towards adding this to Tomcat 8 but not back-porting unless there is
significant demand.

1. Most of the 2 configureUseCipherSuitesOrder methods is the same. Consider
re-factoring the bulk of that method into a superclass utility method and then
extract the SSLParameters object from either SSLEngine or Socket in the
subclasses.

2. Since this is a security-related configuration, consider failing totally
when server-side ordering is requested but can't be enforced -- e.g. the
reflection fails for any reason. You have it logging a warning but continuing
which I think isn't appropriate in this case.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

--- Comment #12 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to Ognjen Blagojevic from comment #4)
 No objections. Do I need to provide a new patch with the name you proposed?

If you like my suggestions above, you could make all 3 changes at once and
propose a new patch. That would be nice ;)

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55988] Add parameter useCipherSuitesOrder to JSSE (BIO and NIO) connectors [PATCH]

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55988

Christopher Schultz ch...@christopherschultz.net changed:

   What|Removed |Added

Summary|Add parameter   |Add parameter
   |useCipherSuitesOrder to |useCipherSuitesOrder to
   |JSSE (BIO and NIO)  |JSSE (BIO and NIO)
   |connectors  |connectors [PATCH]

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org