Todd >> Peter Kreuser wrote >>> >>> Can you provide a clean configuration that exhibits this behavior? >>> >>> What are you using to test the effective configuration? >> >> Another question: are you sure that you hit the Connector that you >> configure? Tomcat should be reasonably configured in defaults with a >> current JDK... >> >> 8443 or the like are not scanned with ssllabs! So it may as well hit an >> apache on the same machine! >> >> Can you show detail on what ssllabs is complaining about? >> >> Best regards >> >> Peter > > Thank you Peter and Chris. > > I'm utilizing sslabs to check as well as just going to the site with Chrome > and looking in developer tools to see the protocol that was selected. > > I understand that 8443 is not a normal port, I'm using ipchains to redirect > traffic from 443 to 8443. I believe that traffic is specifically hitting > this webserver, as changes such as adding SSL or removing TLS 1.0 in the > configuration file take immediate effect after restarting the Tomcat > service. > > My current SSLHostConfig looks like this: > > <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" > honorCipherOrder="true" > ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> > <Certificate certificateKeystoreFile="...." > certificateKeystorePassword="...." > type="RSA" /> > </SSLHostConfig> > > But ssllabs reports the following ciphers: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > None of these ciphers are included in my list, and changes to my cipher list > has no effect at all on what is displayed by ssllabs. > > I'm stuck, so any ideas or guidance is appreciated, thank you! > -Todd >
Tomcat 8.5.14 OpenJDK on debian stretch 1.8.0_131 Using your conf I get the following - which is exactly what you ask for: A- with: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH sect571r1 (eq. 15360 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH sect571r1 (eq. 15360 bits RSA) FS 256 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112 These include the numbers Chris is referring to. - YIKES, do you need 3DES for IE8? Put that last with honorCipherOrder=true then SSLlabs will not punish you in the ranking. - the cipher list is not optimal - as you are ranked A- with “ The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. “ but we’ll work on that later <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" allowTrace="false" maxThreads="150" SSLEnabled="true" compression="off" scheme="https" server="Apache Tomcat" secure="true"> <SSLHostConfig hostName="logopk.no-ip.com" honorCipherOrder="true" certificateVerification="false" protocols="TLSv1+TLSv1.1+TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" certificateKeystorePassword="changeit" certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> It would be interesting to get more details on the connector and the underlying java version. We can see your SSL provider in the Connector... BTW I do a NAT port forwarding from 443 to 8443. Best regards Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org