On 4/15/2015 1:43 PM, Jason Jesso wrote:
Actually my mistake, if I use Java 7 it seems I can't connect using openssl.
It seems the secure connection does not even work when I point to Java7 .
The TLS works when I used the Java 6, but I'm still stuck with the EXPORT
ciphers.
Ok, you have exhausted my knowledge of the subject. Somebody else is
going to need to chime in here.
________________________________________
From: David kerber [dcker...@verizon.net]
Sent: Wednesday, April 15, 2015 1:34 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
On 4/15/2015 1:17 PM, Jason Jesso wrote:
I am using Java 1.6 on AIX plaform.
/usr/java6/bin/java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32
jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
J9VM - 20131231_180656
JIT - r9_20130920_46510ifx3
GC - GA24_Java6_SR15_20131231_1152_B180656)
JCL - 20140107_01
You think this is the issue?
There's a chance of it, but I don't know how IBM's java versions compare
to Oracle's. There were quite a few things that changed in late
versions of Java 6 and 7 w.r.t. encryption.
What exact version of java 7 do you have? IMS, you need a late number
(45, maybe?).
________________________________________
From: David kerber [dcker...@verizon.net]
Sent: Wednesday, April 15, 2015 12:26 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
On 4/15/2015 12:05 PM, Jason Jesso wrote:
I have Tomcat 6.0.41 connector set-up with:
SSLProtocol="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA"
We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
I also test my server using openssl like:
openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
SSL-Session:
Protocol : TLSv1
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID:
552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
Session-ID-ctx:
Master-Key:
28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429113767
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers
I specify in the "ciphers" variable is good.
This is my Tomcat start-up:
bin/startup.sh
Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
Using JRE_HOME: /usr/java6
Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
What exact version of java? I think that's your issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
