Re: How to set Ciphers in Server.xml Tomcat 10.1.zz
Yes, I had to install Java 11 On Thu, 24 Nov 2022, 00:42 Shawn Heisey, wrote: > On 11/23/22 14:12, Edwin Mwangi wrote: > > I need help with the correct parameter for setting Ciphers in Apache > Tomcat > > 10.1.2, in the previous version 9 i would use the parameter below > > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > > > > However when I set the same in Apache Tomcat 10.1.2 I get the following > > error in the logfiles > > Did you also use a newer Java version with the new Tomcat version? > > I have just double-checked results on a Qualys Labs SSL test against a > webserver that allows those ciphers. Both of them are considered weak. > A newer Java version might choose to not allow those ciphers at all and > throw an error when they are attempted. The information below does not > involve Java or Tomcat, but hopefully will still be useful: > > > > Here is part of a report using testssl.sh against one of my webservers, > which gets an A+ security grade: > > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption > Bits Cipher Suite Name (IANA/RFC) > > - > SSLv2 > - > SSLv3 > - > TLSv1 > - > TLSv1.1 > - > TLSv1.2 (server order) > xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLSv1.3 (server order) > x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 521 ChaCha20 256 > TLS_CHACHA20_POLY1305_SHA256 > x1302 TLS_AES_256_GCM_SHA384ECDH 521 AESGCM 256 > TLS_AES_256_GCM_SHA384 > > No ciphers using RSA at all, and each active TLS version only accepts > two ciphers. > > I am betting that Java is just refusing to use those ciphers because > they are known to be weak. Hopefully an expert can tell me if I am > giving incorrect information here. > > Thanks, > Shawn > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: How to set Ciphers in Server.xml Tomcat 10.1.zz
On 11/23/22 14:46, Chuck Caldarale wrote: On Nov 23, 2022, at 22:41, Shawn Heisey wrote: I am betting that Java is just refusing to use those ciphers because they are known to be weak. Hopefully an expert can tell me if I am giving incorrect information here. The reported error was the failure to set the non-existent property due to the misplaced configuration line. Whether or not the JVM would honor the requested ciphers would happen later - but it could well be rejected by newer JVMs, as you noted. Thanks for the clarification! I admit that I have almost no experience with actually writing Java SSL code, so I wouldn't know whether a given class name is right or wrong. :) Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set Ciphers in Server.xml Tomcat 10.1.zz
> On Nov 23, 2022, at 22:41, Shawn Heisey wrote: > > I am betting that Java is just refusing to use those ciphers because they are > known to be weak. Hopefully an expert can tell me if I am giving incorrect > information here. The reported error was the failure to set the non-existent property due to the misplaced configuration line. Whether or not the JVM would honor the requested ciphers would happen later - but it could well be rejected by newer JVMs, as you noted. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set Ciphers in Server.xml Tomcat 10.1.zz
On 11/23/22 14:12, Edwin Mwangi wrote: I need help with the correct parameter for setting Ciphers in Apache Tomcat 10.1.2, in the previous version 9 i would use the parameter below ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" However when I set the same in Apache Tomcat 10.1.2 I get the following error in the logfiles Did you also use a newer Java version with the new Tomcat version? I have just double-checked results on a Qualys Labs SSL test against a webserver that allows those ciphers. Both of them are considered weak. A newer Java version might choose to not allow those ciphers at all and throw an error when they are attempted. The information below does not involve Java or Tomcat, but hopefully will still be useful: Here is part of a report using testssl.sh against one of my webservers, which gets an A+ security grade: Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) - SSLv2 - SSLv3 - TLSv1 - TLSv1.1 - TLSv1.2 (server order) xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLSv1.3 (server order) x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 521 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 x1302 TLS_AES_256_GCM_SHA384 ECDH 521 AESGCM 256 TLS_AES_256_GCM_SHA384 No ciphers using RSA at all, and each active TLS version only accepts two ciphers. I am betting that Java is just refusing to use those ciphers because they are known to be weak. Hopefully an expert can tell me if I am giving incorrect information here. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set Ciphers in Server.xml Tomcat 10.1.zz
> On Nov 23, 2022, at 22:12, Edwin Mwangi wrote: > > I need help with the correct parameter for setting Ciphers in Apache Tomcat > 10.1.2, in the previous version 9 i would use the parameter below > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > > However when I set the same in Apache Tomcat 10.1.2 I get the following > error in the logfiles > > 23-Nov-2022 23:06:47.760 WARNING [main] > org.apache.tomcat.util.digester.SetPropertiesRule.begin Match > [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property > [ciphers] to [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] > > Please see the config I'm currently using > > protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" > maxThreads="150" > SSLEnabled="true"> > > certificateKeystoreFile="${user.home}/.keystore" > certificateKeystorePassword="changeit" > type="RSA" > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > /> > > > If I’m reading the documentation correctly, the ciphers property belongs to SSLHostConfig, not Certificate. Perhaps 9.0 simply ignored the misplaced attribute and used the default. - Chuck - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to set Ciphers in Server.xml Tomcat 10.1.zz
Hi Guys, I need help with the correct parameter for setting Ciphers in Apache Tomcat 10.1.2, in the previous version 9 i would use the parameter below ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" However when I set the same in Apache Tomcat 10.1.2 I get the following error in the logfiles 23-Nov-2022 23:06:47.760 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin Match [Server/Service/Connector/SSLHostConfig/Certificate] failed to set property [ciphers] to [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] Please see the config I'm currently using Thanks Edwin