Are you using a load balancer?
Sent from my T-Mobile 4G LTE Device -------- Original message -------- From: David Wall <d.w...@computer.org> Date: 5/10/18 6:15 PM (GMT-06:00) To: users@tomcat.apache.org Subject: Re: configuring ciphers for SSL Labs server test We're doing good with this: <SSLHostConfig certificateVerification="none" protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > On 5/10/18 2:45 PM, Baron Fujimoto wrote: > I'm trying to improve our grade on SSL Labs SSL server test[1] for our > Tomcat configuraton. Currently, their report caps our grade at B because, > "This server does not support Authenticated encryption (AEAD) cipher > suites". They report that we support the following cipher suites: > > # TLS 1.2 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > # TLS 1.1 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are > using Java 1.8.0_162, and I believe we have the Java Cryptography > Extension (JCE) properly installed. I have the following connector > defined (this version explicitly lists ciphers I think should satisfy the > AEAD cipher requirement[2]): > > <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" > address="0.0.0.0" > port="8443" > maxThreads="500" > maxPostSize="100000" > scheme="https" secure="true" > defaultSSLHostConfigName="foo.example.edu" > SSLEnabled="true" > > <SSLHostConfig hostName="foo.example.edu" > protocols="TLSv1.1+TLSv1.2+TLS1.3" > certificateVerification="none" > honorCipherOrder="true" > > ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK > :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA > :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA > :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > :!TLS_RSA_WITH_AES_128_CBC_SHA > :!TLS_RSA_WITH_AES_256_CBC_SHA > :!TLS_RSA_WITH_AES_128_CBC_SHA256 > :!TLS_RSA_WITH_AES_256_CBC_SHA256 > :!TLS_RSA_WITH_AES_128_GCM_SHA256 > :!TLS_RSA_WITH_AES_256_GCM_SHA384 > :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 > :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > :TLS_DHE_RSA_WITH_AES_128_CBC_SHA > :TLS_DHE_RSA_WITH_AES_256_CBC_SHA > :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > > <Certificate certificateKeystoreType="pkcs12" > > certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" > > </Certificate> > </SSLHostConfig> > </Connector> > > I've mapped the cipher suite names using the OpenSSL cipher suite name > list[3]. I originally started with > ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same > result, so subsequently tried adding the specific ciphers shown above. The > tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher > names may be used[4]. > > Any suggestions on what I may be doing wrong or for further troubleshooting? > > References: > [1] <https://www.ssllabs.com/ssltest/analyze.html> > [2] > <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites> > [3] > <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES> > [4] > <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org