subject:"8.5.11\/8.5.14 using SSLHostConfig protocols and ciphers list ignored"

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Todd,

On 6/30/17 1:30 PM, Todd wrote:
> Christopher Schultz-2 wrote
>> Yup: if you use iptables (ipchains hasn't been used in ...
>> decades?) to do port-redirection, then you are in fact hitting
>> Tomcat / JVM (essentially) directly.
> 
> Yes - iptables, sorry brain fart.
> 
> 
> Christopher Schultz-2 wrote
>> Can you confirm whether or not you are using the OpenSSL
>> provider?
> 
> How can I verify my provider?
> 
> 
> Christopher Schultz-2 wrote
>> What version of OpenSSL are you using? These cipher suites should
>> have well-known names and numeric identifiers (which is how the
>> TLS handshake works), but it looks like the cipher suite names
>> are somehow being confused.
> 
> OpenSSL 1.0.2g
> 
> 
> Christopher Schultz-2 wrote
>> What happens if you narrow your cipher suite list down to a
>> single cipher? Does ssllabs report just a single available cipher
>> (even if it's not the one you configured)?
>> 
>> - -chris
> 
> Whether I put in a single cipher, literal garbage text, or the list
> that I want - ssllabs reports the same list of ciphers detected as
> I posted above. I also get the same cipher on Chrome that is not in
> the list I'm putting in my configuration as well.

This really sounds like something else is going on.

Are you *sure* that your hostname/IP from the outside world is really
routing to the place you think it is?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVrO+AAoJEBzwKT+lPKRYbeoP/AiCGHKWkgWmX3uzs7L1wJua
HKXscjgWmf+1VxPt5k8ZG6rBeRX9io0LQOwIpfBmXQVibkPaP1X/Kyb3kqvpdSz/
R0sHy13DHMRA30DhVlPhvcnLpfHkI0tU/CwmS6YG8VgiA1VReuD4q+CPxFRy+LvZ
vetuK2nG0hRU0yijQx0tsox3g2mTEorn+ysTvTaDhKA6ZDK1ph64RqoWe6jfPmKR
FOfWrDv+JZSwdaOJZXgrV0YB60yxoklcUQYAa+BpAgf0DUOw94v0t0pFHCNStJhK
MTeaRFX6YEAixeJXXkZx9oYk9FIQnVOGH5doc+JTxNjk/Z2kHjohDny7ZYrM9jFD
jTUaiqb1rHVDvSxRMnBbCb32w31J+sBuqj8OmsZu86Xbk0nrQX8445dhqEiKkFAl
MvKWYJbIrLUWBmpFPqkmD7/yc+TfAExpNN2CeVSCle2+jlHiN7pA2AhMlHa31McY
xCMygqy7esewNMULTx0u3GUwhEeyqYWAmtC6fXX1UJcypQIQ/AVHPBpcJiG9q50W
XukLlzak0xTmv+d/sEBl/BEjwCpE67pEISnfp7i/6fuADZ6xtr+qAMiyw/WHTFLb
NeW++I1LvUCsy1Ihq6T3hRQf+5c97HBqSm0mO+p9Rn+QWN80x56KL85C4JTDI9Ls
tTwl6338NrElYKrQVgZk
=Fpm8
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread logo

Todd

>> Peter Kreuser wrote
>>> 
>>> Can you provide a clean configuration that exhibits this behavior?
>>> 
>>> What are you using to test the effective configuration?
>> 
>> Another question: are you sure that you hit the Connector that you
>> configure? Tomcat should be reasonably configured in defaults with a
>> current JDK...
>> 
>> 8443 or the like are not scanned with ssllabs! So it may as well hit an
>> apache on the same machine!
>> 
>> Can you show detail on what ssllabs is complaining about?
>> 
>> Best regards
>> 
>> Peter
> 
> Thank you Peter and Chris.
> 
> I'm utilizing sslabs to check as well as just going to the site with Chrome
> and looking in developer tools to see the protocol that was selected.
> 
> I understand that 8443 is not a normal port, I'm using ipchains to redirect
> traffic from 443 to 8443.  I believe that traffic is specifically hitting
> this webserver, as changes such as adding SSL or removing TLS 1.0 in the
> configuration file take immediate effect after restarting the Tomcat
> service.
> 
> My current SSLHostConfig looks like this:
> 
>honorCipherOrder="true" 
>ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_RSA_WITH_AES_256_CBC_SHA256, 
> TLS_RSA_WITH_AES_256_CBC_SHA, 
> TLS_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_RSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> 
>certificateKeystorePassword="" 
>type="RSA" /> 
>
> 
> But ssllabs reports the following ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 
> None of these ciphers are included in my list, and changes to my cipher list
> has no effect at all on what is displayed by ssllabs.
> 
> I'm stuck, so any ideas or guidance is appreciated, thank you!
> -Todd
> 

Tomcat 8.5.14   
OpenJDK on debian stretch 1.8.0_131 


Using your conf I get the following - which is exactly what you ask for:

A- with:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)  256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)  128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH sect571r1 (eq. 15360 bits 
RSA)   FS   128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH sect571r1 (eq. 15360 bits 
RSA)   FS   256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK  112
These include the numbers Chris is referring to.

- YIKES, do you need 3DES for IE8? Put that last with honorCipherOrder=true 
then SSLlabs will not punish you in the ranking. 
- the cipher list is not optimal - as you are ranked A- with “ The server does 
not support Forward Secrecy with the reference browsers. Grade reduced to A-. “
but we’ll work on that later





   

It would be interesting to get more details on the connector and the underlying 
java version. We can see your SSL provider in the Connector... 

BTW I do a NAT port forwarding from 443 to 8443.

Best regards

Peter


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Todd

Christopher Schultz-2 wrote
> Yup: if you use iptables (ipchains hasn't been used in ... decades?) 
> to do port-redirection, then you are in fact hitting Tomcat / JVM 
> (essentially) directly. 

Yes - iptables, sorry brain fart.


Christopher Schultz-2 wrote
> Can you confirm whether or not you are using the OpenSSL provider?

How can I verify my provider?


Christopher Schultz-2 wrote
> What version of OpenSSL are you using? These cipher suites should have
> well-known names and numeric identifiers (which is how the TLS
> handshake works), but it looks like the cipher suite names are somehow
> being confused.

OpenSSL 1.0.2g


Christopher Schultz-2 wrote
> What happens if you narrow your cipher suite list down to a single
> cipher? Does ssllabs report just a single available cipher (even if
> it's not the one you configured)?
> 
> - -chris

Whether I put in a single cipher, literal garbage text, or the list that I
want - ssllabs reports the same list of ciphers detected as I posted above. 
I also get the same cipher on Chrome that is not in the list I'm putting in
my configuration as well.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064960.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Todd,

On 6/30/17 10:21 AM, Todd wrote:
> Peter Kreuser wrote
>>> 
>>> Can you provide a clean configuration that exhibits this
>>> behavior?
>>> 
>>> What are you using to test the effective configuration?
>> 
>> Another question: are you sure that you hit the Connector that
>> you configure? Tomcat should be reasonably configured in defaults
>> with a current JDK...
>> 
>> 8443 or the like are not scanned with ssllabs! So it may as well
>> hit an apache on the same machine!
>> 
>> Can you show detail on what ssllabs is complaining about?
>> 
>> Best regards
>> 
>> Peter
> 
> Thank you Peter and Chris.
> 
> I'm utilizing sslabs to check as well as just going to the site
> with Chrome and looking in developer tools to see the protocol that
> was selected.
> 
> I understand that 8443 is not a normal port, I'm using ipchains to
> redirect traffic from 443 to 8443.  I believe that traffic is
> specifically hitting this webserver, as changes such as adding SSL
> or removing TLS 1.0 in the configuration file take immediate effect
> after restarting the Tomcat service.

Yup: if you use iptables (ipchains hasn't been used in ... decades?)
to do port-redirection, then you are in fact hitting Tomcat / JVM
(essentially) directly.

> My current SSLHostConfig looks like this:
> 
>  honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, 
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">  certificateKeystoreFile="" certificateKeystorePassword="" 
> type="RSA" /> 

So, with that configuration you should get an NIO connector and, if
libtcnative is nearby, you should get the OpenSSL crypto provider.

> But ssllabs reports the following ciphers: 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256>
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> 
> None of these ciphers are included in my list, and changes to my
> cipher list has no effect at all on what is displayed by ssllabs.
> 
> I'm stuck, so any ideas or guidance is appreciated, thank you!

Can you confirm whether or not you are using the OpenSSL provider?

What version of OpenSSL are you using? These cipher suites should have
well-known names and numeric identifiers (which is how the TLS
handshake works), but it looks like the cipher suite names are somehow
being confused.

What happens if you narrow your cipher suite list down to a single
cipher? Does ssllabs report just a single available cipher (even if
it's not the one you configured)?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZVoWeAAoJEBzwKT+lPKRYL24P/13G5Ci+ipCnBmB9xJjRePrb
85eXRDWsda/b8bjbqvSL5ISJ/xo7GUdbeWo8alQ91Ms75iI12FXIasPDK7EBoMsc
vhlecYY9ujevNroD0LEcEyiczo+DFh9NFc5nQEbpnNlkzcL8p1IJmpCjXKcPWI1k
XObq5eqPbaSDtQnJ4P0Whu3qNo+PowrGk+vZxsZwBpgtHambkCSDXO4ACkdBBHse
BmL3Acz4InT85UrYBVPkBm5JkoxibJLlY9xoW1UYs/9HoNMDfXsVhV3Ef4g+2DAM
sB7gpEzgfo4CeYh0W7w7PBmKGSQ8LU+x5kMLE6Va6DFYQhFR9yMaFcuGxSPN7W1T
rJcXh0W9li87HHgdfVkYZhnut+i6ScK0l7noZircQHst2iflIpnKQMJid/TBpKt4
UeIXmaFfpFFZRQlytVhITY+6y7IWlVzKSiJu614sYyvxC+C8/NzmX2pSYsMJOK8f
mVyukWgzQOlYPXPwtOhDnHNsrgzJzEZs6pFdcFnNzEJU9HSV/SUiYzdHpq7eYsFG
59MBVRIq65M/8EWiojuM0EoBTwKUf0TvirrLG0SiJVkWBCaRpeJR99hIyPPJFzyZ
e109n4BkG99mnYSLlG5VpU8QLpGS7sKT9V+wMf8o0f2eMNBCXBZkMsjBuo/OaDZQ
cVKn7EwicNBygApz7iJu
=56ql
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-30 Thread Todd

Peter Kreuser wrote
>> 
>> Can you provide a clean configuration that exhibits this behavior?
>> 
>> What are you using to test the effective configuration?
> 
> Another question: are you sure that you hit the Connector that you
> configure? Tomcat should be reasonably configured in defaults with a
> current JDK...
> 
> 8443 or the like are not scanned with ssllabs! So it may as well hit an
> apache on the same machine!
> 
> Can you show detail on what ssllabs is complaining about?
> 
> Best regards
> 
> Peter

Thank you Peter and Chris.

I'm utilizing sslabs to check as well as just going to the site with Chrome
and looking in developer tools to see the protocol that was selected.

I understand that 8443 is not a normal port, I'm using ipchains to redirect
traffic from 443 to 8443.  I believe that traffic is specifically hitting
this webserver, as changes such as adding SSL or removing TLS 1.0 in the
configuration file take immediate effect after restarting the Tomcat
service.

My current SSLHostConfig looks like this:

 
 


But ssllabs reports the following ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

None of these ciphers are included in my list, and changes to my cipher list
has no effect at all on what is displayed by ssllabs.

I'm stuck, so any ideas or guidance is appreciated, thank you!
-Todd



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064952.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-26 Thread Peter Kreuser

Todd,




Peter Kreuser


Peter Kreuser
> Am 26.06.2017 um 18:56 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Todd,
> 
>> On 6/23/17 2:56 PM, Todd wrote:
>> Thank you Peter - I tried that previously, and just to double check
>> tried it again.  No difference at all.  a set of ciphers is being
>> presented that do not match to the cipher list that I've included
>> at all.
>> 
>> Any other ideas as to what could be overriding this list?  As
>> mentioned, some things when edited do take effect, like the
>> protocol selection (I can remove TLS, add SSL, etc.), if I have a
>> syntax error, the server won't start and will give an error, but
>> nothing I put in ciphers seems  to work.
> 
> Can you provide a clean configuration that exhibits this behavior?
> 
> What are you using to test the effective configuration?

Another question: are you sure that you hit the Connector that you configure? 
Tomcat should be reasonably configured in defaults with a current JDK...

8443 or the like are not scanned with ssllabs! So it may as well hit an apache 
on the same machine!

Can you show detail on what ssllabs is complaining about?

Best regards

Peter

> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8
> pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL
> PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c
> 0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW
> +diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV
> vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5
> XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q
> 0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87
> KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7
> t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx
> L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG
> cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk=
> =WnIS
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Todd,

On 6/23/17 2:56 PM, Todd wrote:
> Thank you Peter - I tried that previously, and just to double check
> tried it again.  No difference at all.  a set of ciphers is being
> presented that do not match to the cipher list that I've included
> at all.
> 
> Any other ideas as to what could be overriding this list?  As
> mentioned, some things when edited do take effect, like the
> protocol selection (I can remove TLS, add SSL, etc.), if I have a
> syntax error, the server won't start and will give an error, but
> nothing I put in ciphers seems  to work.

Can you provide a clean configuration that exhibits this behavior?

What are you using to test the effective configuration?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8
pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL
PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c
0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW
+diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV
vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5
XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q
0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87
KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7
t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx
L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG
cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk=
=WnIS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-23 Thread Todd

Todd wrote
>> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to
>> be
>> ignored, regardless of what I put in SSLAbs and validating via browser on
>> my
>> website a set of ciphers is used that I have not listed.
>> 
>> I am able to change protocols (for instance, I can remove TLSv1 and the
>> system correctly makes that change), but any changes to ciphers is
>> completely ignored.  I've tried adding just one cipher, I've tried
>> OpenSSL
>> and Standard cipher names, I've put in gibberish.  All end in the exact
>> same
>> result, no errors in the log and a list of cipher suites that I did not
>> get
>> to pick.



Peter Kreuser wrote
> From looking at your answer on nabble I see that your ciphers are not in
> an xml attribute in the SSLHostConfig-Element, but in the body.
> 
> Try
> 
>  honorCipherOrder="true"
> ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
> 
>  certificateKeystorePassword=""
> type="RSA" />
> 
> 
> Best regards
> 
> Peter

Thank you Peter - I tried that previously, and just to double check tried it
again.  No difference at all.  a set of ciphers is being presented that do
not match to the cipher list that I've included at all.

Any other ideas as to what could be overriding this list?  As mentioned,
some things when edited do take effect, like the protocol selection (I can
remove TLS, add SSL, etc.), if I have a syntax error, the server won't start
and will give an error, but nothing I put in ciphers seems  to work.

Thank you
Todd



--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064728.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-23 Thread logo

Todd,


> Am 23.06.2017 um 18:53 schrieb Todd  >:
> 
> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be
> ignored, regardless of what I put in SSLAbs and validating via browser on my
> website a set of ciphers is used that I have not listed.
> 
> I am able to change protocols (for instance, I can remove TLSv1 and the
> system correctly makes that change), but any changes to ciphers is
> completely ignored.  I've tried adding just one cipher, I've tried OpenSSL
> and Standard cipher names, I've put in gibberish.  All end in the exact same
> result, no errors in the log and a list of cipher suites that I did not get
> to pick.
> 
> I've also validated that the ciphers that I want to use are available to
> Java - using 1.8, (
> http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results
>  
> 
> 
>  
> )
> 
> Really appreciate help or direction that anyone can give!
> 
> Todd
> 
> My relevant config:
> 
> 
> 
> 
> --
> View this message in context: 
> http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


From looking at your answer on nabble I see that your ciphers are not in an xml 
attribute in the SSLHostConfig-Element, but in the body.

Try



Best regards

Peter

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-06-23 Thread Todd

I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be
ignored, regardless of what I put in SSLAbs and validating via browser on my
website a set of ciphers is used that I have not listed.

I am able to change protocols (for instance, I can remove TLSv1 and the
system correctly makes that change), but any changes to ciphers is
completely ignored.  I've tried adding just one cipher, I've tried OpenSSL
and Standard cipher names, I've put in gibberish.  All end in the exact same
result, no errors in the log and a list of cipher suites that I did not get
to pick.

I've also validated that the ciphers that I want to use are available to
Java - using 1.8, (
http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results

 
)

Really appreciate help or direction that anyone can give!

Todd

My relevant config:




--
View this message in context: 
http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-04-27 Thread Mark Thomas

On 27/04/17 19:49, Dan Morrison wrote:

> I'm still confused by JSSE vs OpenSSL.  From all that I can figure I
> think I'm setup for JSSE Ciphers ? (not counting the above test)

The are two parts. Config style and implementation.

As much as we can, we have tried to make all combinations work so it is
easy to switch from one to the other.

To find out what is being used, look at the start logs. For example:
...Starting ProtocolHandler ["https-jsse-nio-8443"]

https = TLS is enabled
jsse  = The JSSE TLS implementation is being used
(it would be openssl if the OpenSSL implementation was used)
nio   = The pure Java NIO connector is being used
8443  = The connector is listening on port 8443

And the associated configuration is:

so I am using JSSE style config because certificateKeystoreFile is JSSE
only.

Ciphers can be specified as:
- comma separated JSSE names
- comma separated OpenSSL names
- standard OpenSSL syntax

Internally it is always stored in OpenSSL format.

If I add your cipher list to the SSLHostConfig element above and test
with SSLLabs I see the following ciphers for TLS 1.2

TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA *
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

The cipher marked with * is also available for TLS 1.1 and 1.0

Which is what I'd expect to see given I'm using an RSA cert.

If I then add
protocols="TLSv1.1+TLSv1.2"

the TLS 1.0 section for supported protocols disappears. Again as expected.

As far as I can tell, everything is working as expected.

HTH,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-04-27 Thread Dan Morrison


On 04/27/2017 01:32 PM, Dan Morrison wrote:

On 04/27/2017 10:57 AM, Kreuser, Peter wrote:

Hi (WhoEverYouMayBe - you may want to sign with a name???),



Server version:Apache Tomcat/8.5.11
Server built:  Jan 10 2017 21:02:52 UTC
Server number: 8.5.11.0
OS Name:   Linux
OS Version:3.10.0-514.16.1.el7.x86_64
Architecture:  amd64
Java Home: /usr/java/jdk1.8.0_121/jre
JVM Version:   1.8.0_121-b13
JVM Vendor:Oracle Corporation
CATALINA_BASE: /opt/apache-tomcat-8.5.11
CATALINA_HOME: /opt/apache-tomcat-8.5.11
Command line argument:
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties 


Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Command line argument: -Duser.timezone=US/Eastern
Command line argument: -Xms128m
Command line argument: -Xmx1024m
Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
Command line argument: -Djavax.net.debug=ssl:handshake
Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp

Have tested this with both 8.5.11 and 8.5.14.
There are NO logged Exceptions or errors.
Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and
TLSv1.2
Not being able to turn off TLSv1.0 results in PCI compliance problems.

Each SSLHostConfig needs to be able to support different ciphers, since
some sites are PCI and some sites support legacy data interfaces.

I couldn't exactly figure out the expected syntax for the protocols, so
I tried... (9.0 style)
protocols="+TLSv1.1+TLSv1.2"
protocols="+TLSv1.1,+TLSv1.2"
protocols="+TLSv1.1 +TLSv1.2"
protocols="-TLSv1+TLSv1.1+TLSv1.2"
protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"

ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig
style). These ciphers are NOT in the ciphers list.
TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH sect571r1
(eq. 15360 bits RSA)   FS

server.xml Connector snippet (old style - don't get TLSv1.0)
  

  keystoreFile="./conf/keystore.jks" 
keystorePass="mypass"

 keyAlias="myalias1"
 clientAuth="false"
 useServerCipherSuitesOrder="true"
 sslEnabledProtocols="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />

 

   keystoreFile="./conf/keystore.jks" 
keystorePass="mypass"

 keyAlias="myalias2"
 clientAuth="false"
 useServerCipherSuitesOrder="true"
 sslEnabledProtocols="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />



server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" 


 SSLEnabled="true" scheme="https" secure="true"
 defaultSSLHostConfigName="www.mydomain1.com"
 maxThreads="150" compression="false" 
enableLookups="false" >


  
  
 honorCipherOrder="true"
 protocols="+TLSv1.1+TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
  

  
  
 honorCipherOrder="true"
 protocols="+TLSv1.1+TLSv1.2"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
  

Thanks in advanced for your help !!!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


Apparently the following works, and from my understanding openssl- 
and java-syntax are supported from 8.5. onwards.


   sslEnabledProtocols="TLSv1.1, TLSv1.2" <-- if java is used
   protocols="TLSv1.1+TLSv1.2"<-- if openssl is used

I didn't use sslEnabledProtocols as it shows as NIO and NIO2 (deprecated)
tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2 



I had read somewhere in the docs that the Connector was being made to 
use generic terms that would work for both JSSE and OpenSS, so I 
stayed away from the older terminology.


I will try as you have suggested.

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-04-27 Thread Dan Morrison


On 04/27/2017 10:57 AM, Kreuser, Peter wrote:

Hi (WhoEverYouMayBe - you may want to sign with a name???),



Server version:Apache Tomcat/8.5.11
Server built:  Jan 10 2017 21:02:52 UTC
Server number: 8.5.11.0
OS Name:   Linux
OS Version:3.10.0-514.16.1.el7.x86_64
Architecture:  amd64
Java Home: /usr/java/jdk1.8.0_121/jre
JVM Version:   1.8.0_121-b13
JVM Vendor:Oracle Corporation
CATALINA_BASE: /opt/apache-tomcat-8.5.11
CATALINA_HOME: /opt/apache-tomcat-8.5.11
Command line argument:
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
Command line argument:
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
Command line argument: -Duser.timezone=US/Eastern
Command line argument: -Xms128m
Command line argument: -Xmx1024m
Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Command line argument:
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
Command line argument: -Djavax.net.debug=ssl:handshake
Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp

Have tested this with both 8.5.11 and 8.5.14.
There are NO logged Exceptions or errors.
Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and
TLSv1.2
Not being able to turn off TLSv1.0 results in PCI compliance problems.

Each SSLHostConfig needs to be able to support different ciphers, since
some sites are PCI and some sites support legacy data interfaces.

I couldn't exactly figure out the expected syntax for the protocols, so
I tried... (9.0 style)
protocols="+TLSv1.1+TLSv1.2"
protocols="+TLSv1.1,+TLSv1.2"
protocols="+TLSv1.1 +TLSv1.2"
protocols="-TLSv1+TLSv1.1+TLSv1.2"
protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"

ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig
style). These ciphers are NOT in the ciphers list.
TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH sect571r1
(eq. 15360 bits RSA)   FS

server.xml Connector snippet (old style - don't get TLSv1.0)
  

 

 

  



server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
  

  
  
 honorCipherOrder="true"
 protocols="+TLSv1.1+TLSv1.2"
 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
  

  
  
 honorCipherOrder="true"
 protocols="+TLSv1.1+TLSv1.2"
 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 (etc)
 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
  

Thanks in advanced for your help !!!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Apparently the following works, and from my understanding openssl- and 
java-syntax are supported from 8.5. onwards.

   sslEnabledProtocols="TLSv1.1, TLSv1.2" <-- if java is used
   
	protocols="TLSv1.1+TLSv1.2"<-- if openssl is used

I didn't use sslEnabledProtocols as it shows as NIO and NIO2 (deprecated)
tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2

I had read somewhere in the docs that the Connector was being made to 
use generic terms that would work for both JSSE and OpenSS, so I stayed 
away from the older terminology.


I will try as you have suggested.



 
 


I guess the (etc) is very interesting to know to be able to find the culprit of 
this finding.
Didn't think it was important since it was the exact same list of 
ciphers used with the same Tomcat version using the non-SNI Connector 
syntax.


   honorCipherOrder="true"
   protocols="TLSv1.1, TLSv1.2"
   ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
   TLS_RSA_WITH_AES_256_GCM_SHA384,
   TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
   TLS_RSA_WITH_AES_128_GCM_SHA256,
   TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
   TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />


Also, why does the

AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-04-27 Thread Kreuser, Peter

Hi (WhoEverYouMayBe - you may want to sign with a name???),


> Server version:Apache Tomcat/8.5.11
> Server built:  Jan 10 2017 21:02:52 UTC
> Server number: 8.5.11.0
> OS Name:   Linux
> OS Version:3.10.0-514.16.1.el7.x86_64
> Architecture:  amd64
> Java Home: /usr/java/jdk1.8.0_121/jre
> JVM Version:   1.8.0_121-b13
> JVM Vendor:Oracle Corporation
> CATALINA_BASE: /opt/apache-tomcat-8.5.11
> CATALINA_HOME: /opt/apache-tomcat-8.5.11
> Command line argument: 
> -Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
> Command line argument: 
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> Command line argument: -Duser.timezone=US/Eastern
> Command line argument: -Xms128m
> Command line argument: -Xmx1024m
> Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
> Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
> Command line argument: 
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> Command line argument: -Djavax.net.debug=ssl:handshake
> Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
> Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
> Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp
> 
> Have tested this with both 8.5.11 and 8.5.14.
> There are NO logged Exceptions or errors.
> Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
> Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and 
> TLSv1.2
> Not being able to turn off TLSv1.0 results in PCI compliance problems.
> 
> Each SSLHostConfig needs to be able to support different ciphers, since 
> some sites are PCI and some sites support legacy data interfaces.
> 
> I couldn't exactly figure out the expected syntax for the protocols, so 
> I tried... (9.0 style)
> protocols="+TLSv1.1+TLSv1.2"
> protocols="+TLSv1.1,+TLSv1.2"
> protocols="+TLSv1.1 +TLSv1.2"
> protocols="-TLSv1+TLSv1.1+TLSv1.2"
> protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"
> 
> ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig 
> style). These ciphers are NOT in the ciphers list.
> TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
> TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH sect571r1 
> (eq. 15360 bits RSA)   FS
> 
> server.xml Connector snippet (old style - don't get TLSv1.0)
>   address="192.168.52.13" port="80" protocol="HTTP/1.1"
> connectionTimeout="2"
> redirectPort="443" />
> 
>  address="192.168.52.13" port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true" scheme="https" secure="true"
> keystoreFile="./conf/keystore.jks" keystorePass="mypass"
> keyAlias="myalias1"
> clientAuth="false"
> useServerCipherSuitesOrder="true"
> sslEnabledProtocols="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> (etc)
> TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
> 
>  address="192.168.52.15" port="80" protocol="HTTP/1.1"
> connectionTimeout="2"
> redirectPort="443" />
> 
>   address="192.168.52.15" port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true" scheme="https" secure="true"
> keystoreFile="./conf/keystore.jks" keystorePass="mypass"
> keyAlias="myalias2"
> clientAuth="false"
> useServerCipherSuitesOrder="true"
> sslEnabledProtocols="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> (etc)
> TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
> 
> 
> 
> server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
>   protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="www.mydomain1.com"
> maxThreads="150" compression="false" enableLookups="false" >
> 
>  
> certificateKeystorePassword="mypass"
>   certificateKeyAlias="mydomain1.com"
>   type="RSA" />
> honorCipherOrder="true"
> protocols="+TLSv1.1+TLSv1.2"
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> (etc)
> TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
>  
> 
>  
> certificateKeystorePassword="mypass"
>

8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

2017-04-27 Thread htsguru


Server version:Apache Tomcat/8.5.11
Server built:  Jan 10 2017 21:02:52 UTC
Server number: 8.5.11.0
OS Name:   Linux
OS Version:3.10.0-514.16.1.el7.x86_64
Architecture:  amd64
Java Home: /usr/java/jdk1.8.0_121/jre
JVM Version:   1.8.0_121-b13
JVM Vendor:Oracle Corporation
CATALINA_BASE: /opt/apache-tomcat-8.5.11
CATALINA_HOME: /opt/apache-tomcat-8.5.11
Command line argument: 
-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager

Command line argument: -Duser.timezone=US/Eastern
Command line argument: -Xms128m
Command line argument: -Xmx1024m
Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
Command line argument: 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources

Command line argument: -Djavax.net.debug=ssl:handshake
Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp

Have tested this with both 8.5.11 and 8.5.14.
There are NO logged Exceptions or errors.
Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and 
TLSv1.2

Not being able to turn off TLSv1.0 results in PCI compliance problems.

Each SSLHostConfig needs to be able to support different ciphers, since 
some sites are PCI and some sites support legacy data interfaces.


I couldn't exactly figure out the expected syntax for the protocols, so 
I tried... (9.0 style)

protocols="+TLSv1.1+TLSv1.2"
protocols="+TLSv1.1,+TLSv1.2"
protocols="+TLSv1.1 +TLSv1.2"
protocols="-TLSv1+TLSv1.1+TLSv1.2"
protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"

ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig 
style). These ciphers are NOT in the ciphers list.

TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH sect571r1 
(eq. 15360 bits RSA)   FS


server.xml Connector snippet (old style - don't get TLSv1.0)


   

   





server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)




   honorCipherOrder="true"
   protocols="+TLSv1.1+TLSv1.2"
   ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
   (etc)
   TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />




   honorCipherOrder="true"
   protocols="+TLSv1.1+TLSv1.2"
   ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
   (etc)
   TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />


Thanks in advanced for your help !!!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

15 matches

Site Navigation

Mail list logo

Footer information