Re: configuring ciphers for SSL Labs server test

[logo]

Hi Baron,


Am 12.05.2018 05:36, schrieb Baron Fujimoto:

Hmm, I'm now getting an A grade using:



If I'm sufficiently motivated next week, I'll see if I can sort out 
exactly what

the deal was. But for now, it's Friday and pau hana time...

(yes, tomcat 8.5.x and Java 1.8_x)

On Fri, May 11, 2018 at 07:39:25AM +0100, Mark Thomas wrote:

On 11/05/18 03:35, Baron Fujimoto wrote:
Yes, the host is behind an F5 load balacer, but AFAIK it should be 
passing

all the TLS/SSL directly to the real host to handle.


You don't say which Tomcat version is being used. I assume one of the
8.5.x versions since the 8.5.x docs are referenced.

8.5.x should get an A from SSLLabs with the default configuration:
https://wiki.apache.org/tomcat/Security/Ciphers

I recently updated that page but 8.5.x was getting a A two years ago 
as

well.

Are you sure Java 8 is being used?

Mark




On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:

Are you using a load balancer?



Sent from my T-Mobile 4G LTE Device


 Original message 
From: David Wall <d.w...@computer.org>
Date: 5/10/18 6:15 PM (GMT-06:00)
To: users@tomcat.apache.org
Subject: Re: configuring ciphers for SSL Labs server test

We're doing good with this:




On 5/10/18 2:45 PM, Baron Fujimoto wrote:
I'm trying to improve our grade on SSL Labs SSL server test[1] for 
our
Tomcat configuraton. Currently, their report caps our grade at B 
because,
"This server does not support Authenticated encryption (AEAD) 
cipher

suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. 
We are

using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should 
satisfy the

AEAD cipher requirement[2]):

 protocol="org.apache.coyote.http11.Http11NioProtocol"

address="0.0.0.0"
port="8443"
maxThreads="500"
maxPostSize="10"
scheme="https" secure="true"
defaultSSLHostConfigName="foo.example.edu"
SSLEnabled="true" >
 
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

:!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA

:!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

:!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

:!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

:!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

:!TLS_RSA_WITH_AES_128_CBC_SHA
:!TLS_RSA_WITH_AES_256_CBC_SHA
:!TLS_RSA_WITH_AES_128_CBC_SHA256
:!TLS_RSA_WITH_AES_256_CBC_SHA256
:!TLS_RSA_WITH_AES_128_GCM_SHA256
:!TLS_RSA_WITH_AES_256_GCM_SHA384

:!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

:!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

:TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

:TLS_DHE_RSA_WITH_AES_128_CBC_SHA
:TLS_DHE_RSA_WITH_AES_256_CBC_SHA

:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

:TLS_DHE_RSA_WITH_AES_256_CBC_

Re: configuring ciphers for SSL Labs server test

[Baron Fujimoto]

Hmm, I'm now getting an A grade using:



If I'm sufficiently motivated next week, I'll see if I can sort out exactly what
the deal was. But for now, it's Friday and pau hana time...

(yes, tomcat 8.5.x and Java 1.8_x)

On Fri, May 11, 2018 at 07:39:25AM +0100, Mark Thomas wrote:
>On 11/05/18 03:35, Baron Fujimoto wrote:
>> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
>> all the TLS/SSL directly to the real host to handle.
>
>You don't say which Tomcat version is being used. I assume one of the
>8.5.x versions since the 8.5.x docs are referenced.
>
>8.5.x should get an A from SSLLabs with the default configuration:
>https://wiki.apache.org/tomcat/Security/Ciphers
>
>I recently updated that page but 8.5.x was getting a A two years ago as
>well.
>
>Are you sure Java 8 is being used?
>
>Mark
>
>
>> 
>> On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
>>> Are you using a load balancer?
>>>
>>>
>>>
>>> Sent from my T-Mobile 4G LTE Device
>>>
>>>
>>>  Original message ----
>>> From: David Wall <d.w...@computer.org>
>>> Date: 5/10/18 6:15 PM (GMT-06:00)
>>> To: users@tomcat.apache.org
>>> Subject: Re: configuring ciphers for SSL Labs server test
>>>
>>> We're doing good with this:
>>>
>>> >> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>>> >
>>>
>>>
>>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>>> "This server does not support Authenticated encryption (AEAD) cipher
>>>> suites". They report that we support the following cipher suites:
>>>>
>>>> # TLS 1.2
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> # TLS 1.1
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>>> Extension (JCE) properly installed. I have the following connector
>>>> defined (this version explicitly lists ciphers I think should satisfy the
>>>> AEAD cipher requirement[2]):
>>>>
>>>>  >>> address="0.0.0.0"
>>>> port="8443"
>>>> maxThreads="500"
>>>> maxPostSize="10"
>>>> scheme="https" secure="true"
>>>> defaultSSLHostConfigName="foo.example.edu"
>>>> SSLEnabled="true" >
>>>>  >>> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>>> certificateVerification="none"
>>>> honorCipherOrder="true"
>>>> 
>>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>

RE: configuring ciphers for SSL Labs server test

[charlie arehart]

Also, Baron, about the URL you're testing on your site via by SSLLabs: is that 
really one being served by Tomcat's web server? That's whose connector you're 
showing here. 

If instead you are fronting/proxying Tomcat with Apache or IIS, then my 
understanding is that the SSL support is handled by that web server, not Tomcat 
(and the connector handling that would be one with a protocol="AJP/1.3" or the 
like), and you'd then be wanting to really resolve the poor grades via 
configuration of those instead.

I am open to being corrected by you or others here, of course.

/charlie

>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for 
>>> our Tomcat configuraton. Currently, their report caps our grade at B 
>>> because, "This server does not support Authenticated encryption 
>>> (AEAD) cipher suites". They report that we support the following cipher 
>>> suites:
>>>

>>>
>>>  >> address="0.0.0.0"
>>> port="8443"
>>> maxThreads="500"
>>> maxPostSize="10"
>>> scheme="https" secure="true"
>>> defaultSSLHostConfigName="foo.example.edu"
>>> SSLEnabled="true" >
>>>  



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: configuring ciphers for SSL Labs server test

[Mark Thomas]

On 11/05/18 03:35, Baron Fujimoto wrote:
> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
> all the TLS/SSL directly to the real host to handle.

You don't say which Tomcat version is being used. I assume one of the
8.5.x versions since the 8.5.x docs are referenced.

8.5.x should get an A from SSLLabs with the default configuration:
https://wiki.apache.org/tomcat/Security/Ciphers

I recently updated that page but 8.5.x was getting a A two years ago as
well.

Are you sure Java 8 is being used?

Mark


> 
> On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
>> Are you using a load balancer?
>>
>>
>>
>> Sent from my T-Mobile 4G LTE Device
>>
>>
>>  Original message 
>> From: David Wall <d.w...@computer.org>
>> Date: 5/10/18 6:15 PM (GMT-06:00)
>> To: users@tomcat.apache.org
>> Subject: Re: configuring ciphers for SSL Labs server test
>>
>> We're doing good with this:
>>
>> > protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>> >
>>
>>
>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>> "This server does not support Authenticated encryption (AEAD) cipher
>>> suites". They report that we support the following cipher suites:
>>>
>>> # TLS 1.2
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> # TLS 1.1
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>> Extension (JCE) properly installed. I have the following connector
>>> defined (this version explicitly lists ciphers I think should satisfy the
>>> AEAD cipher requirement[2]):
>>>
>>>  >> address="0.0.0.0"
>>> port="8443"
>>> maxThreads="500"
>>> maxPostSize="10"
>>> scheme="https" secure="true"
>>> defaultSSLHostConfigName="foo.example.edu"
>>> SSLEnabled="true" >
>>>  >> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>> certificateVerification="none"
>>> honorCipherOrder="true"
>>> 
>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>&

Re: configuring ciphers for SSL Labs server test

[Baron Fujimoto]

Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
all the TLS/SSL directly to the real host to handle.

On Thu, May 10, 2018 at 11:23:44PM +, Scott Hoenigman wrote:
> Are you using a load balancer?
>
>
>
>Sent from my T-Mobile 4G LTE Device
>
>
> Original message 
>From: David Wall <d.w...@computer.org>
>Date: 5/10/18 6:15 PM (GMT-06:00)
>To: users@tomcat.apache.org
>Subject: Re: configuring ciphers for SSL Labs server test
>
>We're doing good with this:
>
> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
> >
>
>
>On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>> Tomcat configuraton. Currently, their report caps our grade at B because,
>> "This server does not support Authenticated encryption (AEAD) cipher
>> suites". They report that we support the following cipher suites:
>>
>> # TLS 1.2
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> # TLS 1.1
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>> Extension (JCE) properly installed. I have the following connector
>> defined (this version explicitly lists ciphers I think should satisfy the
>> AEAD cipher requirement[2]):
>>
>>  > address="0.0.0.0"
>> port="8443"
>> maxThreads="500"
>> maxPostSize="10"
>> scheme="https" secure="true"
>> defaultSSLHostConfigName="foo.example.edu"
>> SSLEnabled="true" >
>>  > protocols="TLSv1.1+TLSv1.2+TLS1.3"
>> certificateVerification="none"
>> honorCipherOrder="true"
>> 
>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> 

Re: configuring ciphers for SSL Labs server test

[Scott Hoenigman]

 Are you using a load balancer?



Sent from my T-Mobile 4G LTE Device


 Original message 
From: David Wall <d.w...@computer.org>
Date: 5/10/18 6:15 PM (GMT-06:00)
To: users@tomcat.apache.org
Subject: Re: configuring ciphers for SSL Labs server test

We're doing good with this:

 


On 5/10/18 2:45 PM, Baron Fujimoto wrote:
> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
> Tomcat configuraton. Currently, their report caps our grade at B because,
> "This server does not support Authenticated encryption (AEAD) cipher
> suites". They report that we support the following cipher suites:
>
> # TLS 1.2
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> # TLS 1.1
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
> using Java 1.8.0_162, and I believe we have the Java Cryptography
> Extension (JCE) properly installed. I have the following connector
> defined (this version explicitly lists ciphers I think should satisfy the
> AEAD cipher requirement[2]):
>
>   address="0.0.0.0"
> port="8443"
> maxThreads="500"
> maxPostSize="10"
> scheme="https" secure="true"
> defaultSSLHostConfigName="foo.example.edu"
> SSLEnabled="true" >
>   protocols="TLSv1.1+TLSv1.2+TLS1.3"
> certificateVerification="none"
> honorCipherOrder="true"
> 
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_RSA_WITH_AES_128_CBC_SHA
> :!TLS_RSA_WITH_AES_256_CBC_SHA
> :!TLS_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
> 
> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" >
>  
>  
>  
>
> I've mapped the cipher suite names using the OpenSSL cipher suite name
> list[3]. I originally started with
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
> result, so subsequently tried adding the specific ciphers shown above. The
> tomcat SSLHostConfig docs state that either the OpenSSL or

Re: configuring ciphers for SSL Labs server test

[David Wall]

We're doing good with this:

    protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
    >


On 5/10/18 2:45 PM, Baron Fujimoto wrote:

I'm trying to improve our grade on SSL Labs SSL server test[1] for our
Tomcat configuraton. Currently, their report caps our grade at B because,
"This server does not support Authenticated encryption (AEAD) cipher
suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should satisfy the
AEAD cipher requirement[2]):

 
 
 
 
 
 

I've mapped the cipher suite names using the OpenSSL cipher suite name
list[3]. I originally started with
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
result, so subsequently tried adding the specific ciphers shown above. The
tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
names may be used[4].

Any suggestions on what I may be doing wrong or for further troubleshooting?

References:
[1] 
[2] 

[3] 

[4] 





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

configuring ciphers for SSL Labs server test

[Baron Fujimoto]

I'm trying to improve our grade on SSL Labs SSL server test[1] for our
Tomcat configuraton. Currently, their report caps our grade at B because,
"This server does not support Authenticated encryption (AEAD) cipher
suites". They report that we support the following cipher suites:

# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

# TLS 1.1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
using Java 1.8.0_162, and I believe we have the Java Cryptography
Extension (JCE) properly installed. I have the following connector
defined (this version explicitly lists ciphers I think should satisfy the
AEAD cipher requirement[2]):








I've mapped the cipher suite names using the OpenSSL cipher suite name
list[3]. I originally started with
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
result, so subsequently tried adding the specific ciphers shown above. The
tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
names may be used[4].

Any suggestions on what I may be doing wrong or for further troubleshooting?

References:
[1] 
[2] 

[3] 

[4] 


-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org