Il giorno gio, 14/02/2013 alle 11.38 -0500, Christopher Schultz ha scritto: [...] > > Tomcat version is the one shipped with Debian, and uses jdk > > 1.6.0_u39 with jce unrestricted policy. I also added bouncy castle > > jar in $JAVA_HOME/jre/lib/ext and added its provider in > > $JAVA_HOME/jre/lib/security/java.security as last in the provider > > list. After restarting tomcat nothing changed. > > Did you add Bouncy Castle just to see if it would improve things? Or > are you attempting to use Bouncy Castle as your provider?
I added it in oder to add moe ciphes. I don't even know if this new povider is used at all. The only step I did are the one listed above. [...] > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > > maxThreads="150" scheme="https" secure="true" clientAuth="false" > > sslProtocol="TLS" proxyName="www.my-visible-name.tld" > > proxyPort="8443" address="192.168.1.55" /> > > It's traditional to specify a server key and certificate when > configuring SSL. Where are yours configured? I used default values: the keystore in named ".keystore" and is in the home directory of the user running tomcat. It contains only one key pair and one certificate, and its password is the standard one. > > So, my question: how to configure tomcat for accepting a broader > > range of ciphers, or at least to accept even one of those used by > > this browser? > > The default cipher suite depends upon your JVM, and is usually fairly > inclusive. Here's a little program I wrote to find out what your JVM > will support and what its default cipher suite will be: > http://markmail.org/message/zn4namfhypyxum23 Right. This is why I added bouncycastle. Anyway, I just tried the program in the link you supplied. This is its output: /tmp# java -showversion SSLInfo java version "1.6.0_39" Java(TM) SE Runtime Environment (build 1.6.0_39-b04) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) Default Cipher * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_DES_CBC_SHA * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 * SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_NULL_SHA * TLS_ECDHE_RSA_WITH_RC4_128_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_ECDSA_WITH_NULL_SHA * TLS_ECDH_ECDSA_WITH_RC4_128_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_NULL_SHA * TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA If I run it after removing the bouncy castle provider, this list become short. The diff is about ciphers that iPad does not use, so I think I may remove bouncy castle at all: < * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA < * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA < * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA < TLS_ECDHE_ECDSA_WITH_NULL_SHA < * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA < * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA < * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA < * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA < TLS_ECDHE_RSA_WITH_NULL_SHA < * TLS_ECDHE_RSA_WITH_RC4_128_SHA < * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA < * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA < * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA < TLS_ECDH_ECDSA_WITH_NULL_SHA < * TLS_ECDH_ECDSA_WITH_RC4_128_SHA < * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA < * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA < * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA < TLS_ECDH_RSA_WITH_NULL_SHA < * TLS_ECDH_RSA_WITH_RC4_128_SHA < TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA < TLS_ECDH_anon_WITH_AES_128_CBC_SHA < TLS_ECDH_anon_WITH_AES_256_CBC_SHA < TLS_ECDH_anon_WITH_NULL_SHA < TLS_ECDH_anon_WITH_RC4_128_SHA Thanks, Giuseppe
signature.asc
Description: This is a digitally signed message part
