Re: Windows tcnative openssl ciphers question
On 04/09/2014 04:36 PM, Jeffrey Janner wrote: Per someone (Mladen?) the capability wasn't enabled at build. Last notice I received is he's addressing that in the next release. Yes, feel free to test candidate at http://people.apache.org/~mturk/native/1.1.30 which I hope will be voted as official release. It should have all the EC bits enabled, but this still needs some real-world testing. You're welcome :) Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows tcnative openssl ciphers question
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, April 08, 2014 6:27 PM > To: Tomcat Users List > Subject: Re: Windows tcnative openssl ciphers question > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Jeffrey, > > On 4/7/14, 4:07 PM, Jeffrey Janner wrote: > > Ok, this is a question for the native libs builders (or whoever knows > > the answer). Environment: Windows Server 2008 R2, Tomcat > > 7.0.50 w/APR 1.1.29, Java 1.7.0_51 (all 64-bit) I'm trying to set up > > a ciphers list that will get me an "A" rating on Qualys' SSL testing > > tool. > > Did you read their guide? Certain factors limit your rating to B no > matter what else happens. Lots of those factors are quite common in > real-world deployments. > I actually managed to earn an A- rating, since I was only missing the ECDHE support to get Forward Secrecy to work on the IE browser family. At least I had one until the Heartbleed bug raised its ugly head. Now I'm back to "F". > > I'm using the latest list suggested by MozillaWiki: > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- > AE > > S256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- > SHA25 > > 6:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- > SHA256:ECDHE- > > ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128- > SHA:ECDHE- > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- > SHA:ECDHE > > -ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS- > AES > > 128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- > SHA > > :AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA- > RC4 > > -SHA:AES128:AES256:RC4- > SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5: > > !PSK > > > > However, when I run the test tool, it reports that the server is > only > > supporting the following list: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 > > TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA > > TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA > > TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA > > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA > > > > Notice, none of the ECDHE-based ciphers are showing up in the list. > > This is apparently what is keeping me from getting that perfect > > score, as IE wants those ciphers for Forward Security. It ends up > > taking one of the lower ciphers on the list. Does anyone know, is > > there a setting that needs to be made to enable those ciphers? > > Were they turned off in the dev stage? Is it related to my > > certificate? Running the openssl.exe that comes with the APR binary > > download shows the ECDHE ciphers in the list. Any help appreciated. > > Did you set-up the Elliptic-curve parameters? If not, you can't use > those ciphers. > Per someone (Mladen?) the capability wasn't enabled at build. Last notice I received is he's addressing that in the next release. Jeff
Re: Windows tcnative openssl ciphers question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 4/7/14, 4:07 PM, Jeffrey Janner wrote: > Ok, this is a question for the native libs builders (or whoever > knows the answer). Environment: Windows Server 2008 R2, Tomcat > 7.0.50 w/APR 1.1.29, Java 1.7.0_51 (all 64-bit) I'm trying to set > up a ciphers list that will get me an "A" rating on Qualys' SSL > testing tool. Did you read their guide? Certain factors limit your rating to B no matter what else happens. Lots of those factors are quite common in real-world deployments. > I'm using the latest list suggested by MozillaWiki: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK > > However, when I run the test tool, it reports that the server is > only supporting the following list: > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA > > Notice, none of the ECDHE-based ciphers are showing up in the list. > This is apparently what is keeping me from getting that perfect > score, as IE wants those ciphers for Forward Security. It ends up > taking one of the lower ciphers on the list. Does anyone know, is > there a setting that needs to be made to enable those ciphers? > Were they turned off in the dev stage? Is it related to my > certificate? Running the openssl.exe that comes with the APR binary > download shows the ECDHE ciphers in the list. Any help > appreciated. Did you set-up the Elliptic-curve parameters? If not, you can't use those ciphers. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRIWzAAoJEBzwKT+lPKRYsWkQAIscikdYUe69O+hsv1DF6XWA ics6yqljr7FVcL/6rmG5EXc1KG9e8SWgm+q8R5ol2TNLp1TTQ9CUHhteqNXsQua6 km+r9EimP/stC1SKwUC/idA85FJv+UOC1hxb8G9z3Rvy58ZEJ6JlVVO5qMs4iXVs 4vABiBKK89wKXG4Okx7Hv/DfTJnw/g4lTwvxycX3qx+F3ftSYyjsS/kRXY+M5jYM y2UunmzqQo8EO7zhUqesh/wgTMaCCC1IdmB7giCip9DrYIPgAL4Aa6TXH4sZpkQ3 6v6HfRMQHi0XiY0KMV2GL6P4VD4e3dtsiOrd9zWKSHdEQF6swKIiE6oZUyUGj4gI iDu1JheqDNbEBiOxI1NopFWJ4TCnuVlc/mjefzyjhVxUhjrUEqcnneQUo0vOzqKb cIv/S+YRbwHSFTXQZ/I9xMkrBsAy5jkIM0g1CIL8vm5Eq8WLM9EdR59kD047jNDu pu9FYVTasodp/0lgmDZ493NEEdpSmhsrj924BhsjmsIO0/+/6kSvgC63pBmosIkQ tsgOvoh6D4jDBD0BbwIH94XiI8X0rwDW9UsDKEy/sIY+yw1c1Rt/9cBeDT6dvTHU LHmaLX09j8C0dR25c7wFc7DnN3SJjbxuAea2RojVBCOJxNV8qYhVvyfkzja8okPo p2EyaFpoD9bgkt1BLTCh =+oS7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windows tcnative openssl ciphers question
> -Original Message- > From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] > Sent: Monday, April 07, 2014 5:27 PM > To: Tomcat Users List > Subject: Re: Windows tcnative openssl ciphers question > > Jeffrey, > > EECDH/ECDHE is disabled in tcnative-1.dll. There is already a request > to enable it. Take a look at: > >https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 > > -Ognjen > > Thanks, thought that might have been the case, but was unsure, since the openssl lib that comes with it has it explicitly available. Outside of downloading source and building myself, even if I knew what to do, appears to be the only way to enable it at the moment. I'd like to urge all posters on here to please go vote for the bug. It only has 1 vote at the moment. Jeff
Re: Windows tcnative openssl ciphers question
Jeffrey, EECDH/ECDHE is disabled in tcnative-1.dll. There is already a request to enable it. Take a look at: https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 -Ognjen On 8.4.2014 0:07, Jeffrey Janner wrote: Ok, this is a question for the native libs builders (or whoever knows the answer). Environment: Windows Server 2008 R2, Tomcat 7.0.50 w/APR 1.1.29, Java 1.7.0_51 (all 64-bit) I'm trying to set up a ciphers list that will get me an "A" rating on Qualys' SSL testing tool. I'm using the latest list suggested by MozillaWiki: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK However, when I run the test tool, it reports that the server is only supporting the following list: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA Notice, none of the ECDHE-based ciphers are showing up in the list. This is apparently what is keeping me from getting that perfect score, as IE wants those ciphers for Forward Security. It ends up taking one of the lower ciphers on the list. Does anyone know, is there a setting that needs to be made to enable those ciphers? Were they turned off in the dev stage? Is it related to my certificate? Running the openssl.exe that comes with the APR binary download shows the ECDHE ciphers in the list. Any help appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org