My goal was to disable the EXPORT ciphers and not be able to connect with: openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
I am using Java 6 and Tomcat 6 and we got it working with the following config in the connector: sslProtocols = "TLSv1, TLSv1.1,TLSv1.2" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null CONNECTED(00000004) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 73 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Problem solved for us. Thanks for your help! ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, April 16, 2015 1:01 AM To: Tomcat Users List Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jason, On 4/15/15 12:05 PM, Jason Jesso wrote: > I have Tomcat 6.0.41 connector set-up with: > > SSLProtocol="TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" > > > We are failing our PCI scan for "RSA_EXPORT Cipher Suites > (FREAK)". > > > I also test my server using openssl like: > > > openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null > 2>/dev/null > > SSL-Session: Protocol : TLSv1 Cipher : EXP-EDH-RSA-DES-CBC-SHA > Session-ID: > 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56 > Session-ID-ctx: Master-Key: > 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B520 5965423F162D44A0814892779A > > Key-Arg : None > PSK identity: None PSK identity hint: None SRP username: None Start > Time: 1429113767 Timeout : 300 (sec) Verify return code: 19 (self > signed certificate in certificate chain) > > > It still connects with the EXPORT cipher. I do not know why, since > I thought the ciphers I specify in the "ciphers" variable is good. > > [later] I am using Java 1.6 on AIX plaform. Java 6 does not support TLS1.2: http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardN ames.html#SSLContext You'll need Java 7 for TLS1.2, plus recent builds of Java 7 disable SSLv3, which is why you can't connect to a Java-7-based Tomcat. You'll need to use "openssl s_client -tls1_2", etc. if you want to connect. A few notes: 1. You can't specify multiple protocols in SSLProtocols: choose the highest one you intend to support (e.g. "TLS1.2"). 2. You are using SSLProtocol (notice the capitalization) instead of sslProtocol. The former is to be used with the APR (native) connector and the latter is to be used with the JSSE-based connectors. Which one are you using? 3. The "ciphers" setting is for JSSE while the SSLCipherSuite setting is for use with the APR (native) connector. Which one are you using? 4. If you are using JSSE, you should probably use sslEnabledProtocols to ensure that you are getting only the list of protocols you actually want to enable. If you use "TLSv1.2" in JSSE, it will support the other protocols down to TLSv1 unless you explicitly disable them. So, first decide which connector you are using (APR vs. pure-Java) and then make sure you configure it using the correct configuration attributes: Java-based: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html APR-based: http://tomcat.apache.org/tomcat-6.0-doc/apr.html - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVL0ImAAoJEBzwKT+lPKRYmpoQALTEp+3P64Mp/95DZqREWLCc W1sYXrQ72re6H51KZQEBrh80ueMyT3FdFhZrePnOluvggfE5L5SCqMkgoqVszJQW lSCiPFGuzhHREnO+znvB6lfRnmYTt3cntLmAhNH72OTTZ7G1rC7msTBOalmTrwPn NaKgvOWG0DX8EjGWfCz8GElL5pasnkqZg6Ochl1AzkZVXAvd9QXrKZAql6/S4lWr RPD0onDOyRNLNnUXlmPkZj6puQOxfWOGc8W6jS2GD9cnlTdl5b/8IwTip+hQT+Ia GsqumygcM/yxEN8MY8uqJR1sywGT1k0mcrcqCFVbk3zP9eWPc5dNGTfqzjmxxN9B FbpfSGmDqsduYlkceZ48D9Dp4GK3qL3Z1xNY1stXUyi4nvvGVFk8obh8ChtjkyQx u0Uz48cuzUiNkRX819OmUOV3hT12cWcAnciJBOGpy/aD3AGOSqOhztUXu+szWzg5 ThK6y1Jfb7gQPNGzDDbhJHyoUSsHiNU3WG9sptYMkvUdOEpu3hg6DECmnitBapgg NatcJrXXsAN03L6haD6rozEu9x82XKk0OzeHcO+AT+9QtCnoawccH9MOSZKHOVzP KtKCN6NSZQu8HW3x7q4DrP1oRfyAA42Tb0EG1X2tX6r7CXVlVZxRYwFgK3FBwgEp RJuTEcImuel3LQegh9CI =P9s2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
