> On 30/08/2016 10:23, Kreuser, Peter wrote: > > Hi all, > > I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd proves that it > is > linked). I have set the cipher string to the newly supported ciphers: > > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- > GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- > AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E > CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC > DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S > HA:AES256-SHA:DES-CBC3-SHA:!DSS" > > However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305. testssl.sh > shows only the old ciphers from the plain openssl 1.0.2. > > Tomcat Version 8.5.4 > Java 1.8.0_102 > > Anything that I'm missing? > > > Without seeing the full Connector config, don't know. > > Mark >
Mark, of course I should have done that: <Connector port="8843" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" server="Apache Tomcat" allowTrace="false" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" hostName="xxx.xxx.net" protocols="TLSv1.1+TLSv1.2" certificateVerification="false" disableCompression="true" disableSessionTickets="false" ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key" certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" /> </SSLHostConfig> </Connector> Thanks. Peter