Re: Enforcing server preference for cipher suites
Hi Chris, thanks for sharing your opinion. Just my last comment here to close this thread. BSAFE is anyways EOL now (or will be soon). We are already working on a replacement. Currently we are using the latest and greatest version of BSAFE with extended support. Once again, thank you all for the great support. I have another query (different topic) coming shortly...:-) Sent from my iPhone > On Oct 12, 2017, at 7:59 PM, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > >> On 10/12/17 10:55 AM, Harish Krishnan wrote: >> Thank you all for the help and responses. We figured out what the >> problem was. What I did was correct in terms of the attribute >> setting, the tomcat version used and the JRE version used. However, >> I did not realize our JRE is running in FIPs mode using RSA BSAFE >> as the crypto provider. > FIPS strikes again! > > In this case, it's not really FIPS's fault, it's RSA's BSAFE. Anyone > using RSA's BSAFE these days ought to lose their job. Plow that thing > under with salt and use a trusted crypto provider (lol, Oracle, I guess) > . > >> When I tested and ran under standard JRE, then the server cipher >> suite order was preferred. > You are probably using an ancient version of BSAFE. Your random > numbers are probably all ones. Seriously, you need to dump BSAFE. > >> Now I will have to look into what RSA library is doing here. > > Leaking like a sieve, probably. > >> Probably they are setting that Java API too which could be >> overwriting our setting in tomcat. > > If that crypto provider is in use, then it'll likely affect the whole > JVM. It just occurred to me that Tomcat doesn't have a setting for the > crypto provider to use for TLS itself... only for the various > "stores", etc. We probably ought to add that, and then you could > choose "JSSE" as your provider and avoid BSAFE. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngLCgACgkQHPApP6U8 > pFjanhAAkTNcGk5/X6b9aK2gYcSDdTjkE879XA77KGYwWDF2L01jtSdF7ejnCcuN > 4lfivY/V5TaiKv0EZrU1YVC2psBZVK5CjfsCIfUZe5gOmqRRtxm8vRARULOY31oQ > tm4Hf3PHVXuKa/ZBQutLFOolJo7IhaYP3CtBqE+i7OWSlyy0dsqdqO40z9+vzt2n > DBiMRXl0Y2HGCeRsm0owdsFFDqA/j0xcCTBjgckgR6TcnRPc926FZVmr+q53DEQ1 > rYVo3Kfum7AnLP3y4rVT0SsxavjI48aXqCLKcM9RzRJ//D+p9teOeiHiUtu4CzHY > aQmkV22N6LC3M5uBwNNU1xXr62SNiarqY7euurPhPcOkbQSi4ckfknh48JzenQ41 > Ws7XvuLGOmTcLOv+rsKYjBd5s6IxuBH/+k5MfttPQaZ8mHAieMjEnVszmjZon2rE > Mqqcd+C5Z0q2/X9wUAwNAD3muQTzx2A8C3uucJHVygvwNy76UCUCoyLakQ98/8WL > 3SKN2l3EddObdi4OUrfga80ZTLf0AnBoflmKz+2UAbP3Xit++XHBs5dBgvN51Tji > d6IdBRJpSq/njZmnSGQYJ/4o07v31YgLjh+xZTS+8wxm5H3C4V6/IuWlsnYPZWi5 > YQRe0GPZw54IuLs9WZG6AbNcAzhGOW+OBIMGbzSKQukeLAVpjws= > =KUgn > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Harish, On 10/12/17 10:55 AM, Harish Krishnan wrote: > Thank you all for the help and responses. We figured out what the > problem was. What I did was correct in terms of the attribute > setting, the tomcat version used and the JRE version used. However, > I did not realize our JRE is running in FIPs mode using RSA BSAFE > as the crypto provider. FIPS strikes again! In this case, it's not really FIPS's fault, it's RSA's BSAFE. Anyone using RSA's BSAFE these days ought to lose their job. Plow that thing under with salt and use a trusted crypto provider (lol, Oracle, I guess) . > When I tested and ran under standard JRE, then the server cipher > suite order was preferred. You are probably using an ancient version of BSAFE. Your random numbers are probably all ones. Seriously, you need to dump BSAFE. > Now I will have to look into what RSA library is doing here. Leaking like a sieve, probably. > Probably they are setting that Java API too which could be > overwriting our setting in tomcat. If that crypto provider is in use, then it'll likely affect the whole JVM. It just occurred to me that Tomcat doesn't have a setting for the crypto provider to use for TLS itself... only for the various "stores", etc. We probably ought to add that, and then you could choose "JSSE" as your provider and avoid BSAFE. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngLCgACgkQHPApP6U8 pFjanhAAkTNcGk5/X6b9aK2gYcSDdTjkE879XA77KGYwWDF2L01jtSdF7ejnCcuN 4lfivY/V5TaiKv0EZrU1YVC2psBZVK5CjfsCIfUZe5gOmqRRtxm8vRARULOY31oQ tm4Hf3PHVXuKa/ZBQutLFOolJo7IhaYP3CtBqE+i7OWSlyy0dsqdqO40z9+vzt2n DBiMRXl0Y2HGCeRsm0owdsFFDqA/j0xcCTBjgckgR6TcnRPc926FZVmr+q53DEQ1 rYVo3Kfum7AnLP3y4rVT0SsxavjI48aXqCLKcM9RzRJ//D+p9teOeiHiUtu4CzHY aQmkV22N6LC3M5uBwNNU1xXr62SNiarqY7euurPhPcOkbQSi4ckfknh48JzenQ41 Ws7XvuLGOmTcLOv+rsKYjBd5s6IxuBH/+k5MfttPQaZ8mHAieMjEnVszmjZon2rE Mqqcd+C5Z0q2/X9wUAwNAD3muQTzx2A8C3uucJHVygvwNy76UCUCoyLakQ98/8WL 3SKN2l3EddObdi4OUrfga80ZTLf0AnBoflmKz+2UAbP3Xit++XHBs5dBgvN51Tji d6IdBRJpSq/njZmnSGQYJ/4o07v31YgLjh+xZTS+8wxm5H3C4V6/IuWlsnYPZWi5 YQRe0GPZw54IuLs9WZG6AbNcAzhGOW+OBIMGbzSKQukeLAVpjws= =KUgn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
Thank you all for the help and responses. We figured out what the problem was. What I did was correct in terms of the attribute setting, the tomcat version used and the JRE version used. However, I did not realize our JRE is running in FIPs mode using RSA BSAFE as the crypto provider. When I tested and ran under standard JRE, then the server cipher suite order was preferred. Now I will have to look into what RSA library is doing here. Probably they are setting that Java API too which could be overwriting our setting in tomcat. Anyways, that's our problem to look into. Thanks again for the timely response and help! Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan : >> Hi All, >> >> Need your expert input here. >> Not sure what I am doing wrong, but I cannot get this server preference >> cipher suites feature working. >> >> My setup: >> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) >> Latest Java 1.8 build. >> >> No matter what value I set to this attribute (true OR false OR undefined >> which is by default), I always see the Clients preference picked. >> As an example, if clients order is ABCDEF, and servers order is DEFABC, no >> matter what value I set to this useServerCipherSuitesOrder attribute, always >> the order selected is ABC... > > It should work when running on Java 8. > > Maybe try debugging > e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat > setUseServerCipherSuitesOrder() > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
Thanks for the response, Konstantin. If debugging the tomcat code is the only option, then I will plan to do it sometime soon as it is bit additional work for me. We just use the tomcat binaries In our application. Meanwhile, if anybody have any other suggestions, that is greatly appreciated. Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan : >> Hi All, >> >> Need your expert input here. >> Not sure what I am doing wrong, but I cannot get this server preference >> cipher suites feature working. >> >> My setup: >> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) >> Latest Java 1.8 build. >> >> No matter what value I set to this attribute (true OR false OR undefined >> which is by default), I always see the Clients preference picked. >> As an example, if clients order is ABCDEF, and servers order is DEFABC, no >> matter what value I set to this useServerCipherSuitesOrder attribute, always >> the order selected is ABC... > > It should work when running on Java 8. > > Maybe try debugging > e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat > setUseServerCipherSuitesOrder() > > https://wiki.apache.org/tomcat/FAQ/Developing#Debugging > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
2017-10-09 19:31 GMT+03:00 Harish Krishnan : > Hi All, > > Need your expert input here. > Not sure what I am doing wrong, but I cannot get this server preference > cipher suites feature working. > > My setup: > Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) > Latest Java 1.8 build. > > No matter what value I set to this attribute (true OR false OR undefined > which is by default), I always see the Clients preference picked. > As an example, if clients order is ABCDEF, and servers order is DEFABC, no > matter what value I set to this useServerCipherSuitesOrder attribute, always > the order selected is ABC... It should work when running on Java 8. Maybe try debugging e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat setUseServerCipherSuitesOrder() https://wiki.apache.org/tomcat/FAQ/Developing#Debugging Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enforcing server preference for cipher suites
Thanks for the response, Peter. The client is not doing anything other than a simple https connection to tomcat. The cipher sites used by the client is the default JRE 1.8 cipher suites. I have not configured or requesting for any particular cipher suite when connecting to Tomcat. During the handshake, a particular cipher is automatically selected after the client server negotiation. The question I have is, the cipher that is automatically selected, is in the client preference order and not tomcat order as per the attribute useServerCipherSuitesOrder setting. Are we on same page? Sent from my iPhone > On Oct 9, 2017, at 11:51 PM, Peter Kreuser wrote: > > Harish, > > >> Am 10.10.2017 um 00:00 schrieb Harish Krishnan : >> >> Thanks for the response, Chris. >> >> Below are my answers in order. >> To keep the response as short as possible, i have not included the ciphers >> list in the connector - >> >> a) Tomcat 7.0.79 (will be updating to 7.0.82) >> b) JRE 1.80_144 >> c) Our connector configuration is below. >> d) We are using NIO. >> e) I am using a simple java client that makes TLS connection to our tomcat >> on below port. I am capturing the SSL handshake. >> The way i tested the client preference is: Lets take the same example i >> gave in my first email i.e. clients preference is ABCDEF and the tomcat >> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. >> During the 1st handshake connection, "A" cipher suite was chosen. I removed >> "A" from my tomcat connector, restarted the service, and did the connection >> test again. >> "B" was chosen during this 2nd handshake. Same test was continued and >> observed that CDEF were chosen next in order. >> I am expecting DEFABC as the order of preference as per the >> *useServerCipherSuitesOrder* setting. > I believe that there is a misunderstanding. Your simple client does not seem > to handle the situation correctly (even not at all). > I think if you request cipher B you will get B. > > Please check with a ssl-tool like sslyze or testssl.sh. If your site is > available on the internet, you could try ssllabs.com. > > The settings seem to be OK, unless I do not see an incorrect formatting on my > phone. > > HTH, > > Peter > >> Let me know if i am missing anything or is my understanding is incorrect. >> >> > id="orion.server.https" >> acceptCount="100" >> *useServerCipherSuitesOrder*="true" >> ciphers="we have around 20 cipher suites listed..." >> clientAuth="want" >> >> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" >> compression="on" >> compressionMinSize="2048" >> disableUploadTimeout="true" >> enableLookups="false" >> keystoreFile="keystore/xyz" >> keystorePass="" >> maxConnections="500" >> maxHttpHeaderSize="8192" >> maxKeepAliveRequests="500" >> maxThreads="250" >> minSpareThreads="25" >> noCompressionUserAgents="gozilla, traviata" >> port="8443" >> processorCache="500" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> scheme="https" >> secure="true" >> server="Undefined" >> sessionCacheSize="400" >> SSLEnabled="true" >> sslProtocol="TLS" >> sslEnabledProtocols="TLSv1.1, TLSv1.2" >> truststoreFile="keystore/xyz" >> truststorePass="" >> truststoreType="jks" >> URIEncoding="UTF-8" /> >> >> >> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA256 >>> >>> Harish, >>> On 10/9/17 12:31 PM, Harish Krishnan wrote: Need your expert input here. Not sure what I am doing wrong, but I cannot get this server preference cipher suites feature working. My setup: Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) Latest Java 1.8 build. No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked. As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC... >>> >>> What exact version of Tomcat are you using? >>> What exact version of Java are you using? >>> >>> Please post your configuration, minus any secrets. >>> >>> Do you know if you are using the BIO, NIO, or APR connector? >>> >>> How are you determining client-preference? >>> >>> - -chris >>> -BEGIN PGP SIGNATURE- >>> Comment: GPGTools
Re: Enforcing server preference for cipher suites
Harish, > Am 10.10.2017 um 00:00 schrieb Harish Krishnan : > > Thanks for the response, Chris. > > Below are my answers in order. > To keep the response as short as possible, i have not included the ciphers > list in the connector - > > a) Tomcat 7.0.79 (will be updating to 7.0.82) > b) JRE 1.80_144 > c) Our connector configuration is below. > d) We are using NIO. > e) I am using a simple java client that makes TLS connection to our tomcat > on below port. I am capturing the SSL handshake. > The way i tested the client preference is: Lets take the same example i > gave in my first email i.e. clients preference is ABCDEF and the tomcat > servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. > During the 1st handshake connection, "A" cipher suite was chosen. I removed > "A" from my tomcat connector, restarted the service, and did the connection > test again. > "B" was chosen during this 2nd handshake. Same test was continued and > observed that CDEF were chosen next in order. > I am expecting DEFABC as the order of preference as per the > *useServerCipherSuitesOrder* setting. > I believe that there is a misunderstanding. Your simple client does not seem to handle the situation correctly (even not at all). I think if you request cipher B you will get B. Please check with a ssl-tool like sslyze or testssl.sh. If your site is available on the internet, you could try ssllabs.com. The settings seem to be OK, unless I do not see an incorrect formatting on my phone. HTH, Peter > Let me know if i am missing anything or is my understanding is incorrect. > > id="orion.server.https" >acceptCount="100" >*useServerCipherSuitesOrder*="true" >ciphers="we have around 20 cipher suites listed..." >clientAuth="want" > > compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" >compression="on" >compressionMinSize="2048" >disableUploadTimeout="true" >enableLookups="false" >keystoreFile="keystore/xyz" >keystorePass="" >maxConnections="500" >maxHttpHeaderSize="8192" >maxKeepAliveRequests="500" >maxThreads="250" >minSpareThreads="25" >noCompressionUserAgents="gozilla, traviata" >port="8443" >processorCache="500" >protocol="org.apache.coyote.http11.Http11NioProtocol" >scheme="https" >secure="true" >server="Undefined" >sessionCacheSize="400" >SSLEnabled="true" >sslProtocol="TLS" >sslEnabledProtocols="TLSv1.1, TLSv1.2" >truststoreFile="keystore/xyz" >truststorePass="" >truststoreType="jks" >URIEncoding="UTF-8" /> > > > On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Harish, >> >>> On 10/9/17 12:31 PM, Harish Krishnan wrote: >>> Need your expert input here. Not sure what I am doing wrong, but I >>> cannot get this server preference cipher suites feature working. >>> >>> My setup: Latest tomcat 7.x build (which supports >>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build. >>> >>> No matter what value I set to this attribute (true OR false OR >>> undefined which is by default), I always see the Clients preference >>> picked. As an example, if clients order is ABCDEF, and servers >>> order is DEFABC, no matter what value I set to this >>> useServerCipherSuitesOrder attribute, always the order selected is >>> ABC... >> >> What exact version of Tomcat are you using? >> What exact version of Java are you using? >> >> Please post your configuration, minus any secrets. >> >> Do you know if you are using the BIO, NIO, or APR connector? >> >> How are you determining client-preference? >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo >> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C >> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK >> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p >> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s >> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If >> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0 >> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR >> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O >> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m
Re: Enforcing server preference for cipher suites
Thanks for the response, Chris. Below are my answers in order. To keep the response as short as possible, i have not included the ciphers list in the connector - a) Tomcat 7.0.79 (will be updating to 7.0.82) b) JRE 1.80_144 c) Our connector configuration is below. d) We are using NIO. e) I am using a simple java client that makes TLS connection to our tomcat on below port. I am capturing the SSL handshake. The way i tested the client preference is: Lets take the same example i gave in my first email i.e. clients preference is ABCDEF and the tomcat servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. During the 1st handshake connection, "A" cipher suite was chosen. I removed "A" from my tomcat connector, restarted the service, and did the connection test again. "B" was chosen during this 2nd handshake. Same test was continued and observed that CDEF were chosen next in order. I am expecting DEFABC as the order of preference as per the *useServerCipherSuitesOrder* setting. Let me know if i am missing anything or is my understanding is incorrect. On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > > On 10/9/17 12:31 PM, Harish Krishnan wrote: > > Need your expert input here. Not sure what I am doing wrong, but I > > cannot get this server preference cipher suites feature working. > > > > My setup: Latest tomcat 7.x build (which supports > > useServerCipherSuitesOrder attribute) Latest Java 1.8 build. > > > > No matter what value I set to this attribute (true OR false OR > > undefined which is by default), I always see the Clients preference > > picked. As an example, if clients order is ABCDEF, and servers > > order is DEFABC, no matter what value I set to this > > useServerCipherSuitesOrder attribute, always the order selected is > > ABC... > > What exact version of Tomcat are you using? > What exact version of Java are you using? > > Please post your configuration, minus any secrets. > > Do you know if you are using the BIO, NIO, or APR connector? > > How are you determining client-preference? > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C > qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK > j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p > MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s > n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If > xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0 > RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR > /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O > GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R > qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG > 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg > lPIZuxLUk5GBnA/vV8qtLIfK7cc= > =SuWg > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Enforcing server preference for cipher suites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Harish, On 10/9/17 12:31 PM, Harish Krishnan wrote: > Need your expert input here. Not sure what I am doing wrong, but I > cannot get this server preference cipher suites feature working. > > My setup: Latest tomcat 7.x build (which supports > useServerCipherSuitesOrder attribute) Latest Java 1.8 build. > > No matter what value I set to this attribute (true OR false OR > undefined which is by default), I always see the Clients preference > picked. As an example, if clients order is ABCDEF, and servers > order is DEFABC, no matter what value I set to this > useServerCipherSuitesOrder attribute, always the order selected is > ABC... What exact version of Tomcat are you using? What exact version of Java are you using? Please post your configuration, minus any secrets. Do you know if you are using the BIO, NIO, or APR connector? How are you determining client-preference? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0 RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg lPIZuxLUk5GBnA/vV8qtLIfK7cc= =SuWg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Enforcing server preference for cipher suites
Hi All, Need your expert input here. Not sure what I am doing wrong, but I cannot get this server preference cipher suites feature working. My setup: Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute) Latest Java 1.8 build. No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked. As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC... Regard Harish Krishnan Sent from my iPhone - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org