Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-11 Thread Terence M. Bandoian 

On 10/10/2017 1:20 AM, Peter Kreuser wrote:

Christopher,

A good read on the appropriate (openssl) cipher string that I use can be found 
here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Hynek explains the whys and don'ts and updates the string on a regular basis!

HTH

Peter



Nice article.  Thanks!

-Terence Bandoian
 http://www.tmbsw.com/


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-10 Thread James H. H. Lampert 
On 10/9/17, 2:19 PM, Christopher Schultz (Tomcat List guru) wrote (with 
regard to a "ciphers" clause in a connector tag):

. . .

You need to list everything.

. . .

Ok. I really didn't need a command-line tool (thanks, though, on behalf 
of whoever actually does end up needing one); just an example, and I 
found one at https://tinyurl.com/y9aqpkvm


Based on that example, I then pulled up the "Configured ciphers per 
connector" page on the TC 8.5 server, and copied and pasted all of them 
into a new ciphers clause on my connector tag, and then copied and 
pasted TLS_RSA_WITH_AES_256_CBC_SHA in at the end, from a copy of the 
SSLInfo output. After restarting Tomcat, "TLS_RSA_WITH_AES_256_CBC_SHA" 
appeared in the "Configured ciphers" page, and the AS/400 was able to 
access the server.


Thanks, Messrs. Schultz, Kreuser, Thomas of the Tomcat List, and Messrs 
Stone and Klement of the HTTPAPI List.


--
JHHL


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-10 Thread Peter Kreuser 
Christopher,




Peter Kreuser
> Am 10.10.2017 um 00:14 schrieb Christopher Schultz 
> :
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> James,
> 
>> On 10/9/17 5:19 PM, Christopher Schultz wrote:
>>> On 10/6/17 6:34 PM, James H. H. Lampert wrote:
>>> Noting that my connector tag is written using Tomcat 7 connector 
>>> syntax, is there a good example of how to code a ciphers clause
>>> for that tag?
>> 
>> Tomcat 8.5+ and 9.0+ can do it... but nobody has written a 
>> command-line tool around that capability. (I could have sworn such
>> a tool existed already. I guess I'll write one.)
> 
> Okay, it's in Tomcat 9, now. Grab Tomcat 9 trunk, build it ("ant
> deploy"), then run:
> 
> $ output/build/bin/ciphers.sh [cipherspec]
> 
> where "cipherspec" is an OpenSSL-style cipher suite spec, like:
> 
> $ output/build/bin/ciphers.sh 'DEFAULT'
> 
> This gives you the JVM's current default, and dumps-out all of the
> IANA-style cipher suite names. So if you want to add one cipher suite
> to the default Java suites, just do this:
> 
> $ output/build/bin/ciphers.sh 'DEFAULT'
> 
> and then add this to the end:
> 
> TLS_RSA_WITH_AES_256_CBC_SHA
> 
> (Unless TLS_RSA_WITH_AES_256_CBC_SHA is already present in the list.)
> 
> Note that the "DEFAULT" list has a bunch of junk you don't need.
> Specifically, you can probably get rid of all of these things with no
> ill effects, and your configuration will "look" simpler:
> 
> $ ./bin/ciphers.sh '!PSK:!aNULL:!DSA:!SRP:!DSS:HIGH'

A good read on the appropriate (openssl) cipher string that I use can be found 
here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Hynek explains the whys and don'ts and updates the string on a regular basis!

HTH

Peter

> Hope that helps,
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb9NkdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFisoA//bj9GFzlMaZdPYXHt
> y2iQIToESUg6Wa8vU5lQscLDfqtXeAIawiXusILz/th1fCu1usy8HeC/5nBINXAQ
> McbEUSRiq6YitPXDIwXqbOGZS76vxmheFPTst6gHCN6hNOYbFEbejK3cxX8s0Bbg
> kXtqcrnnN+a+J5UZmFeB3tctQfwsVLyGcvcwzDRTjFCIjrD1CwdEd+Ckk740jCFU
> HXgEewO6rVnxAx80hP2c9ztsHblNt0KFm4zMtWjxmHTigac1EEA1ZAi5P3nIJu5n
> 7HIw0jVX3qZHamVHXWSPb7skEZY/wj7Kko8XmJFWS0bbwuaTQJ+Pr8ZJPT145/Tb
> F0w6PqPqiR9sre7Yvy4v9y/QOqFjujEqMzkTNedRaBEItmzELPkYBBms2b2bkIVj
> bMptV5FidCthzvJAnQ5efuiG9qYCuHajNEjQM4Mhu0t95yolmh4+yD2yxA4sS35W
> YPxy24tgY9A2nNpJS+QSWtCzkQBJz+0Uxnw8y3AbW2oRkA649i+9+KppSAqCx7kH
> QYUSwTD+7aETlVthfANEr5D/MbzJbflhTjXl/bZjuEc2p1tWPxZrqC+E8FwniMLL
> NYwK4rMDrSZfrgY7mn6uPcTxzEIMTj/KvtaZCFY1GRAlAf16vNVlnCHQzMvlYKGW
> gtqS2tF9DBurCs65qocxtWLAQwU=
> =bEIh
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 10/9/17 5:19 PM, Christopher Schultz wrote:
> On 10/6/17 6:34 PM, James H. H. Lampert wrote:
>> Noting that my connector tag is written using Tomcat 7 connector 
>> syntax, is there a good example of how to code a ciphers clause
>> for that tag?
> 
> Tomcat 8.5+ and 9.0+ can do it... but nobody has written a 
> command-line tool around that capability. (I could have sworn such
> a tool existed already. I guess I'll write one.)

Okay, it's in Tomcat 9, now. Grab Tomcat 9 trunk, build it ("ant
deploy"), then run:

$ output/build/bin/ciphers.sh [cipherspec]

where "cipherspec" is an OpenSSL-style cipher suite spec, like:

$ output/build/bin/ciphers.sh 'DEFAULT'

This gives you the JVM's current default, and dumps-out all of the
IANA-style cipher suite names. So if you want to add one cipher suite
to the default Java suites, just do this:

$ output/build/bin/ciphers.sh 'DEFAULT'

and then add this to the end:

 TLS_RSA_WITH_AES_256_CBC_SHA

(Unless TLS_RSA_WITH_AES_256_CBC_SHA is already present in the list.)

Note that the "DEFAULT" list has a bunch of junk you don't need.
Specifically, you can probably get rid of all of these things with no
ill effects, and your configuration will "look" simpler:

$ ./bin/ciphers.sh '!PSK:!aNULL:!DSA:!SRP:!DSS:HIGH'

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb9NkdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFisoA//bj9GFzlMaZdPYXHt
y2iQIToESUg6Wa8vU5lQscLDfqtXeAIawiXusILz/th1fCu1usy8HeC/5nBINXAQ
McbEUSRiq6YitPXDIwXqbOGZS76vxmheFPTst6gHCN6hNOYbFEbejK3cxX8s0Bbg
kXtqcrnnN+a+J5UZmFeB3tctQfwsVLyGcvcwzDRTjFCIjrD1CwdEd+Ckk740jCFU
HXgEewO6rVnxAx80hP2c9ztsHblNt0KFm4zMtWjxmHTigac1EEA1ZAi5P3nIJu5n
7HIw0jVX3qZHamVHXWSPb7skEZY/wj7Kko8XmJFWS0bbwuaTQJ+Pr8ZJPT145/Tb
F0w6PqPqiR9sre7Yvy4v9y/QOqFjujEqMzkTNedRaBEItmzELPkYBBms2b2bkIVj
bMptV5FidCthzvJAnQ5efuiG9qYCuHajNEjQM4Mhu0t95yolmh4+yD2yxA4sS35W
YPxy24tgY9A2nNpJS+QSWtCzkQBJz+0Uxnw8y3AbW2oRkA649i+9+KppSAqCx7kH
QYUSwTD+7aETlVthfANEr5D/MbzJbflhTjXl/bZjuEc2p1tWPxZrqC+E8FwniMLL
NYwK4rMDrSZfrgY7mn6uPcTxzEIMTj/KvtaZCFY1GRAlAf16vNVlnCHQzMvlYKGW
gtqS2tF9DBurCs65qocxtWLAQwU=
=bEIh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-09 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 10/6/17 6:34 PM, James H. H. Lampert wrote:
> On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote:
> 
>> It might help to think of it like this:
>> 
>> There are the ciphers that a JVM supports. The JVM only enables
>> sub-set of the supported ciphers are enabled by default. Tomcat
>> with a default configuration only uses a sub-set of the ciphers 
>> that the JVM enables by default. . . . It looks like you have an
>> incompatible set of ciphers configured.
>> 
>> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA
>> is the least worse option. The Java name for this is: 
>> TLS_RSA_WITH_AES_256_CBC_SHA
> 
> I should have tried this DAYS ago. There is also a Tomcat 7 server 
> installed on the Google Cloud server. With no apparent differences
> in the Java list of available and "enabled-by-default" ciphers
> between the two boxes, it's clear that the biggest single
> difference that I'm actually able to do anything about is which
> Tomcat server is running on 443.
> 
> So with both Tomcat servers shut down, I switched Tomcat 7 over to
> port 443, brought it up, and tried connecting to it from the same
> program as before.
> 
> This time, I got a 404. Not the least bit surprising, since the
> webapp context isn't actually installed on the Tomcat 7 server.
> 
> Incidentally, I also tried running the ssllabs.com test on the
> Tomcat 7 server. The results weren't very meaningful: it only
> listed the ECDHE suites, but then again, it only listed the ECDHE
> suites when I tried it on one of our other Tomcat 7 servers.
> 
>> Tomcat with a default configuration only uses a sub-set of the
>> ciphers that the JVM enables by default.
> 
> So is there a way, short of downloading and recompiling Tomcat
> myself, to control what's in that default subset of a default
> subset?

Nope. You can't change the JVM (well, you CAN but it's not worth it)
and you can't change Tomcat's further-restricted list of cipher
suites. But it's got nearly everything you'd actually want in there,
and it's even got some stuff you might actually NOT want in there,
depending upon your level of paranoia.

> Or failing that, is there a way, in my connector tag, to specify
> "Use TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites
> Tomcat 8.5 uses by default"?

No.

> Or do I need to list all the Tomcat 8.5 defaults in a "ciphers"
> clause, along with the TLS_RSA_WITH_AES_256_CBC_SHA?

You need to list everything.

> Noting that my connector tag is written using Tomcat 7 connector
> syntax, is there a good example of how to code a ciphers clause for
> that tag?

Tomcat 8.5+ and 9.0+ can do it... but nobody has written a
command-line tool around that capability. (I could have sworn such a
tool existed already. I guess I'll write one.)


- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5/AdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh7nA/+Nq5pXhaL9++l2y8b
LSVfaoy5PamsIFvn5paEchot2XfvoE4TXMWb3e5EmVPPk89QLZKn/jMzOukKs/9S
7g4QVtngxEfi9W48poj45abfwMk+Rh2Na4fNIwMLjNFFVYLH1AeuO/hvDk1/Zf0z
mIgqa85OlMuwnpWF3AqWI/KEOi9d9PNOIm2TT8c+lI6WyR99M+FTWtt10Zlv/IFG
7JeSEbKURxkacOlwe6aR7Paa7Wt2LcUldYcAhmYwKJPvHJaYcs1ZdbvPsx2h8j2E
eGBftxjl9+2cx0+5+tkQtl0nAotZmqoX3SsIgeDJWwUdUI/7iLkJMt/d8A1gdGgR
AaCZgW09fn8MpzAaqqOz+FdqpNcldBsiut4o4gv+bUhDQClijvpz/LDKW02eJhEi
6/1U+Eqe5MyXj+zn02Am+z7uoyyU8H1F3QUEN1+OsKH3/AsOCZBwkqeBvig3a8Mb
XXPCOUroDqW4zhvAd8/mk0tuoo2OZ+O3rd/VuZecDU7uuhclvgp7+orhsIwrDL0o
jynVbIm0k2VPHPwDQRAL9scdXc0BGFih8D6tP9JBmIgVHQhHVoqbJkwfo+Zrer/L
cLP7R2iBcg2d2EqYxlMXYmgVf4jnVcGTfn1n2V9Hc6YYhcLIxTF3s37xln2StERB
69veYEnl/qoqo/7IcKp5YrE+kP8=
=w1+P
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

2017-10-06 Thread logo 
James,


> On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote:
> 
>> It might help to think of it like this:
>> 
>> There are the ciphers that a JVM supports.
>> The JVM only enables sub-set of the supported ciphers are enabled by
>> default.
>> Tomcat with a default configuration only uses a sub-set of the ciphers
>> that the JVM enables by default.
>> . . .
>> It looks like you have an incompatible set of ciphers configured.
>> 
>> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA is the
>> least worse option. The Java name for this is:
>> TLS_RSA_WITH_AES_256_CBC_SHA
> 
> I should have tried this DAYS ago. There is also a Tomcat 7 server installed 
> on the Google Cloud server. With no apparent differences in the Java list of 
> available and "enabled-by-default" ciphers between the two boxes, it's clear 
> that the biggest single difference that I'm actually able to do anything 
> about is which Tomcat server is running on 443.
> 
> So with both Tomcat servers shut down, I switched Tomcat 7 over to port 443, 
> brought it up, and tried connecting to it from the same program as before.
> 
> This time, I got a 404. Not the least bit surprising, since the webapp 
> context isn't actually installed on the Tomcat 7 server.
> 
> Incidentally, I also tried running the ssllabs.com  test 
> on the Tomcat 7 server. The results weren't very meaningful: it only listed 
> the ECDHE suites, but then again, it only listed the ECDHE suites when I 
> tried it on one of our other Tomcat 7 servers.
> 
> > Tomcat with a default configuration only uses a sub-set of the ciphers
> > that the JVM enables by default.
> 
> So is there a way, short of downloading and recompiling Tomcat myself, to 
> control what's in that default subset of a default subset?
> 
> Or failing that, is there a way, in my connector tag, to specify "Use 
> TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites Tomcat 8.5 uses by 
> default"?
> 
> Or do I need to list all the Tomcat 8.5 defaults in a "ciphers" clause, along 
> with the TLS_RSA_WITH_AES_256_CBC_SHA?
> 
> Noting that my connector tag is written using Tomcat 7 connector syntax, is 
> there a good example of how to code a ciphers clause for that tag?
> 
> --
> JHHL
> 

Apparently Tomcat 7 syntax will not support openssl syntax like 
HIGH:+AES256:!MD5:... That will perfectly work with Tomcat 8.5 with the new ssl 
syntax, and that is a major achievement.

A quick dig into tomcat7 conf and tested with docker will lead you to the 
following working ssl conf. Be aware that Java7 is not really able to handle 
modern ssl requirements like bit length > 1024bit or server cipher order.



You may want to test a local ssl setup with the great testssl.sh tool by dirk 
wetter (https://testssl.sh ), also available on docker.
I’ve picked the ciphers from the list that testssl.sh showed me for the 
standard conf of Tomcat 8.0.47 and JRE7 (RFC notation). Then I’ve added your 
requested cipher.

HTH,

Peter