-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Gary,
On 4/27/14, 11:05 PM, Gary Briggs wrote: > In short: What's the best way to configure ciphers, matching in > tomcat and openssl, to get widest browser compatability without > sacrificing security? > > In long: I'm running tomcat with client-certificate authentication > behind a proxy made by F5 [LTM, "Local Traffic Manager", is the > specific product]. > > The LTM is basically a reverse proxy. You hand it your server's > certificate and private keys, then tell it to "do that SSL proxy > thing". It conducts a MITM attack; listening, modifying, and > watching your traffic for sketchy behaviour ["Wait... why is that > IRC instead of HTTP?"]. > > Skeevy as it sounds as I've described it, I've actually so far > been very happy with it. For example, rather than routing with > SNAT, the proxy injects an X-Forwarded-For header into the HTTP > stream; my server cannot even address/route to anything outside, > but I can still configure tomcat to log the originating address, > and it's still TLS end-to-end. > > The proxy comes with a default set of ciphers configured which > resembles openssl cipher string: > !SSLv2:!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:@SPEED > > I believe this string corresponds to a tomcat cipher > configuration: TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, > TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, > TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA Something doesn't seem right about the above: you have an EXPORT cipher in your Tomcat list, but the OpenSSL configuration shouldn't be using that (due to !EXPORT). > This works fine with IE9,10 and Chrome. But recent firefox > versions don't like it, I get the error correspondong to "no cypher > overlap" [which I presume is missing overlap between firefox and > tomcat, because when the overlap is missing between tomcat and the > F5, the F5 just drops the connection] > > I'm using the most recent Tomcat7 release right now, with the > latest JDK7 release. > > Does anyone have any suggestions as to what set of options will go > best for me, both in the openssl-based proxy, and in tomcat? Remember that the client is only contacting the F5 to negotiate the cipher. The cipher used between LTM and Tomcat is not relevant. You ought to be able to set the cipher on the Tomcat end to be one specific thing that you particularly like (and of course that is supported by LTM) and it will always use that, regardless of what the client is using. I'm surprised that LTM has a configuration that does not allow it to accept connections from recent versions of Firefox. That would seem to be a serious problem. I know that Firefox 28 can do SSL_RSA_WITH_RC4_128_SHA (as reported by ff; should be TLS_RSA_WITH_RC4_128_SHA in Java-speak and RC4-SHA in OpenSSL-speak) because I can see it connected to such a side using that cipher right now in a window I've got up. I agree with Mark: you should use Qualys's tools and perhaps something like sslscan (freely-downloadable; also available from some some Linux package-managers) to help figure out what ciphers are actually available given a particular configuration. Do you have the ability to modify the LTM's cipher configuration? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTXlp8AAoJEBzwKT+lPKRYQE8QAKjL/Bj7c/7W+kfOzrDUOb6U +clKS9hq7uJAjABTjKRW3dNh0W41W4XAkvZ4iYZaSxFcxPp8djQ7kaNaeF3qbzI6 m9kedJGJMTlA0Mq2bv82Mbq95+kJyqgmWBzecJMIoVMRMgkb1a1exAeBW4fSKGa9 Qq/ZG4dudS0CAC/cvsj0ObaoX8aWO1VC7QVGUXZlEbel2ebV7n+p9sdOZHijTlUl dfc0E4TIGNpBxi1EXrpJs8rcTpHw47y3tyPPzEQmPcO5/jqPCfp+6tkHVpTBQm1u a/T9w7ERRw5Pp5V4WNHheb6rob8CYUOrhMCuwMbdoYD7cil/HwX+WWN9OmulubGz H02NaJf/0w3OCa6c8TJA23Qkedz32AL0+BUYmDCDymzYgsAT9BhVPY+q2T7lc60T z0/VTjJTPJeC4835R5HniaQnXoXnT2bnuJxCfxgl/VFXbSV+sNq5npTOKW0HvakU n9EFiVic0RChJj2Y7L88hsa2BS2olQO6C5+Feriqg3t1yqDgFW+I7aZFU9LKf2U4 JEr4NHB9Yftns8ECZqeoGCDxjbU06TWx4vMMTLxpKtSrXiAB3HQ5WYaKWTz4FGDb FpTS4ek1MTxLa+VJU9NSM1Wt8qzIXEiv0rYU23c8ygAtc44nVGmwI6GwZxJADAFG s6tYp6S2zNh1sQXpaD52 =3je8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
