Re: Changing Tomcat's SSL ciphers
Eric, On 2.3.2015 23:45, Eric wrote: I am trying to change the ciphers that my Tomcat 7 server supports. I am using the APR connector. Here's the connector information in server.xml with the line saying which ciphers to support: Connector port=8443 executor=edgeExecutor maxHttpHeaderSize=32768 enableLookups=false disableUploadTimeout=true connectionTimeout=3000 socketBuffer=122880 maxKeepAliveRequests=1 scheme=https secure=true SSLProtocol=TLSv1 SSLEnabled=true SSLCertificateFile=/etc/tomcat/star_mydomain_com.crt SSLCertificateKeyFile=/etc/tomcat/star_mydomain_com.key SSLCACertificateFile=/etc/tomcat/DigiCertCA.crt / SSLCipherSuite=ECDHE-RSA-AES128-GCM-SHA256 ... apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of Tomcat, could it be that an option was turned off that prevents changing the SSL cipher? How would I check?) ECDHE-RSA-AES128-GCM-SHA256 is TLSv1.2 protocol [1]. In order to utilze TLSv1.2, you need to: 1. Use tcnative 1.1.32 or later. 2. Use Tomcat that supports it (8.0.15+, 7.0.57+). 3. Set SSLProtocol=TLSv1+TLSv1.1+TLSv1.2 4. Put SSLCipherSuite inside Connector tag (you put it outside). -Ognjen [1] https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Changing Tomcat's SSL ciphers
I am trying to change the ciphers that my Tomcat 7 server supports. I am using the APR connector. Here's the connector information in server.xml with the line saying which ciphers to support: Connector port=8443 executor=edgeExecutor maxHttpHeaderSize=32768 enableLookups=false disableUploadTimeout=true connectionTimeout=3000 socketBuffer=122880 maxKeepAliveRequests=1 scheme=https secure=true SSLProtocol=TLSv1 SSLEnabled=true SSLCertificateFile=/etc/tomcat/star_mydomain_com.crt SSLCertificateKeyFile=/etc/tomcat/star_mydomain_com.key SSLCACertificateFile=/etc/tomcat/DigiCertCA.crt / SSLCipherSuite=ECDHE-RSA-AES128-GCM-SHA256 I shut down and started Tomcat back up. When I scan this server using NMAP and a script that enumerates all of the SSL ciphers, I get this result: $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX) Host is up (0.019s latency). rDNS record for X.XX.XX.XX: d.mydomain.com PORTSTATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken | TLS_DH_anon_WITH_AES_128_CBC_SHA - broken | TLS_DH_anon_WITH_AES_256_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken | TLS_DH_anon_WITH_DES_CBC_SHA - broken | TLS_DH_anon_WITH_RC4_128_MD5 - broken | TLS_DH_anon_WITH_SEED_CBC_SHA - broken | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: broken Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds Why it is still supporting all of those other ciphers? I only told it to support one. Am I doing something wrong? OS/version information: CentOS release 6.5 (Final) apr-1.3.9-5.el6_2.x86_64 apr-devel-1.3.9-5.el6_2.x86_64 apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of Tomcat, could it be that an option was turned off that prevents changing the SSL cipher? How would I check?) Thank you.
Re: Changing Tomcat's SSL ciphers
Thank you for catching my typo and for the information On Mon, Mar 2, 2015 at 2:55 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2015-03-03 1:45 GMT+03:00 Eric cam...@gmail.com: I am trying to change the ciphers that my Tomcat 7 server supports. I am using the APR connector. Here's the connector information in server.xml with the line saying which ciphers to support: Connector port=8443 executor=edgeExecutor maxHttpHeaderSize=32768 enableLookups=false disableUploadTimeout=true connectionTimeout=3000 socketBuffer=122880 maxKeepAliveRequests=1 scheme=https secure=true SSLProtocol=TLSv1 SSLEnabled=true SSLCertificateFile=/etc/tomcat/star_mydomain_com.crt SSLCertificateKeyFile=/etc/tomcat/star_mydomain_com.key SSLCACertificateFile=/etc/tomcat/DigiCertCA.crt / SSLCipherSuite=ECDHE-RSA-AES128-GCM-SHA256 / closes the tag. Your SSLCipherSuite is not an attribute, but a plain text that follows the tag. The above also misses the protocol attribute. If you are using APR connector you would better select it explicitly instead of relying on autodetection. If autodetection fails you may end up with plain HTTP on that port. I shut down and started Tomcat back up. When I scan this server using NMAP and a script that enumerates all of the SSL ciphers, I get this result: $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX) Host is up (0.019s latency). rDNS record for X.XX.XX.XX: d.mydomain.com PORTSTATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken | TLS_DH_anon_WITH_AES_128_CBC_SHA - broken | TLS_DH_anon_WITH_AES_256_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken | TLS_DH_anon_WITH_DES_CBC_SHA - broken | TLS_DH_anon_WITH_RC4_128_MD5 - broken | TLS_DH_anon_WITH_SEED_CBC_SHA - broken | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: broken Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds Why it is still supporting all of those other ciphers? I only told it to support one. Am I doing something wrong? OS/version information: CentOS release 6.5 (Final) apr-1.3.9-5.el6_2.x86_64 apr-devel-1.3.9-5.el6_2.x86_64 apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of Tomcat, could it be that an option was turned off that prevents changing the SSL cipher? How would I check?) 7.0.32? http://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5 http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Changing Tomcat's SSL ciphers
2015-03-03 1:45 GMT+03:00 Eric cam...@gmail.com: I am trying to change the ciphers that my Tomcat 7 server supports. I am using the APR connector. Here's the connector information in server.xml with the line saying which ciphers to support: Connector port=8443 executor=edgeExecutor maxHttpHeaderSize=32768 enableLookups=false disableUploadTimeout=true connectionTimeout=3000 socketBuffer=122880 maxKeepAliveRequests=1 scheme=https secure=true SSLProtocol=TLSv1 SSLEnabled=true SSLCertificateFile=/etc/tomcat/star_mydomain_com.crt SSLCertificateKeyFile=/etc/tomcat/star_mydomain_com.key SSLCACertificateFile=/etc/tomcat/DigiCertCA.crt / SSLCipherSuite=ECDHE-RSA-AES128-GCM-SHA256 / closes the tag. Your SSLCipherSuite is not an attribute, but a plain text that follows the tag. The above also misses the protocol attribute. If you are using APR connector you would better select it explicitly instead of relying on autodetection. If autodetection fails you may end up with plain HTTP on that port. I shut down and started Tomcat back up. When I scan this server using NMAP and a script that enumerates all of the SSL ciphers, I get this result: $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX) Host is up (0.019s latency). rDNS record for X.XX.XX.XX: d.mydomain.com PORTSTATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken | TLS_DH_anon_WITH_AES_128_CBC_SHA - broken | TLS_DH_anon_WITH_AES_256_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken | TLS_DH_anon_WITH_DES_CBC_SHA - broken | TLS_DH_anon_WITH_RC4_128_MD5 - broken | TLS_DH_anon_WITH_SEED_CBC_SHA - broken | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong | TLS_RSA_WITH_DES_CBC_SHA - weak | TLS_RSA_WITH_IDEA_CBC_SHA - weak | TLS_RSA_WITH_RC4_128_MD5 - strong | TLS_RSA_WITH_RC4_128_SHA - strong | TLS_RSA_WITH_SEED_CBC_SHA - strong | compressors: | NULL |_ least strength: broken Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds Why it is still supporting all of those other ciphers? I only told it to support one. Am I doing something wrong? OS/version information: CentOS release 6.5 (Final) apr-1.3.9-5.el6_2.x86_64 apr-devel-1.3.9-5.el6_2.x86_64 apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of Tomcat, could it be that an option was turned off that prevents changing the SSL cipher? How would I check?) 7.0.32? http://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5 http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
