Re: tomcat does not choose the higher curve when EC ciphers are configured
On 20/12/2016 15:22, manjesh wrote: > thanks. I believe as a part of cipher negotiation the server (tomcat) > should do this rather than the provider (JDK/SunJC) What is your basis for that believe? You need to point to the Java documentation that a) states this is the case and b) describes the API Tomcat should be using to do this. Mark > > On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > manjesh, > > On 12/20/16 6:19 AM, manjesh wrote: Below shown snippet is the ciphersuite configuration. Tomcat version 8.026 and JDK 1.8 >>> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" ke ystoreFile="work/keystore/keystore.jks" keystorePass="*" keyAlias="selfsigned.tomcat" keystoreType="JKS" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" useServerCipherSuitesOrder="true" server="APPSERVER" SSLDisableCompression="true" /> Tested with Nmap Check the server for the supported cipher suites. nmap -p 443 --script ssl-enum-ciphers.nse hostname The result shows server supports few ciphers with curves secp160k1,secp192k1, secp224k 1,secp256k1..etc configure Nmap to probe the server with only two curve sizes secp160k1,secp256k1 But this time server selects cipher supporting secp160k1 but not secp256k1 even though secp256k1 is mutually stronger one than secp160k1 How to enforce server to select the mutually existing higher curve size? > > I'm not sure Java allows you to select the specific curve you'd like > to use -- only the cipher suite, which doesn't specify a curve to use. > > -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat does not choose the higher curve when EC ciphers are configured
thanks. I believe as a part of cipher negotiation the server (tomcat) should do this rather than the provider (JDK/SunJC) On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > manjesh, > > On 12/20/16 6:19 AM, manjesh wrote: > > Below shown snippet is the ciphersuite configuration. Tomcat > > version 8.026 and JDK 1.8 > > > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" scheme="https" secure="true" SSLEnabled="true" > > clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" > > ke ystoreFile="work/keystore/keystore.jks" keystorePass="*" > > keyAlias="selfsigned.tomcat" keystoreType="JKS" > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA > > _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ > > SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ > > AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ > > RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" > > useServerCipherSuitesOrder="true" server="APPSERVER" > > SSLDisableCompression="true" /> > > > > > > Tested with Nmap > > > > Check the server for the supported cipher suites. > > > > nmap -p 443 --script ssl-enum-ciphers.nse hostname > > > > The result shows server supports few ciphers with curves > > secp160k1,secp192k1, secp224k 1,secp256k1..etc > > > > configure Nmap to probe the server with only two curve sizes > > secp160k1,secp256k1 > > > > But this time server selects cipher supporting secp160k1 but > > not secp256k1 even though secp256k1 is mutually stronger one than > > secp160k1 > > > > How to enforce server to select the mutually existing higher curve > > size? > > I'm not sure Java allows you to select the specific curve you'd like > to use -- only the cipher suite, which doesn't specify a curve to use. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV > u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY > U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg > xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV > CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko > uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb > qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU > ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh > WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq > cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K > x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop > zHWLPJnMZyYfEyjWdcBh > =PRwc > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat does not choose the higher curve when EC ciphers are configured
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 manjesh, On 12/20/16 6:19 AM, manjesh wrote: > Below shown snippet is the ciphersuite configuration. Tomcat > version 8.026 and JDK 1.8 > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" scheme="https" secure="true" SSLEnabled="true" > clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" > ke ystoreFile="work/keystore/keystore.jks" keystorePass="*" > keyAlias="selfsigned.tomcat" keystoreType="JKS" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA > _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ > SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ > AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ > RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" > useServerCipherSuitesOrder="true" server="APPSERVER" > SSLDisableCompression="true" /> > > > Tested with Nmap > > Check the server for the supported cipher suites. > > nmap -p 443 --script ssl-enum-ciphers.nse hostname > > The result shows server supports few ciphers with curves > secp160k1,secp192k1, secp224k 1,secp256k1..etc > > configure Nmap to probe the server with only two curve sizes > secp160k1,secp256k1 > > But this time server selects cipher supporting secp160k1 but > not secp256k1 even though secp256k1 is mutually stronger one than > secp160k1 > > How to enforce server to select the mutually existing higher curve > size? I'm not sure Java allows you to select the specific curve you'd like to use -- only the cipher suite, which doesn't specify a curve to use. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop zHWLPJnMZyYfEyjWdcBh =PRwc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat does not choose the higher curve when EC ciphers are configured
Below shown snippet is the ciphersuite configuration. Tomcat version 8.026 and JDK 1.8 Tested with Nmap Check the server for the supported cipher suites. nmap -p 443 --script ssl-enum-ciphers.nse hostname The result shows server supports few ciphers with curves secp160k1,secp192k1, secp224k 1,secp256k1..etc configure Nmap to probe the server with only two curve sizes secp160k1,secp256k1 But this time server selects cipher supporting secp160k1 but not secp256k1 even though secp256k1 is mutually stronger one than secp160k1 How to enforce server to select the mutually existing higher curve size?