Are you using a load balancer?
Sent from my T-Mobile 4G LTE Device
-------- Original message --------
From: David Wall <d.w...@computer.org>
Date: 5/10/18 6:15 PM (GMT-06:00)
To: users@tomcat.apache.org
Subject: Re: configuring ciphers for SSL Labs server test
We're doing good with this:
<SSLHostConfig certificateVerification="none"
protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>
On 5/10/18 2:45 PM, Baron Fujimoto wrote:
> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
> Tomcat configuraton. Currently, their report caps our grade at B because,
> "This server does not support Authenticated encryption (AEAD) cipher
> suites". They report that we support the following cipher suites:
>
> # TLS 1.2
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> # TLS 1.1
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>
> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
> using Java 1.8.0_162, and I believe we have the Java Cryptography
> Extension (JCE) properly installed. I have the following connector
> defined (this version explicitly lists ciphers I think should satisfy the
> AEAD cipher requirement[2]):
>
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
> address="0.0.0.0"
> port="8443"
> maxThreads="500"
> maxPostSize="100000"
> scheme="https" secure="true"
> defaultSSLHostConfigName="foo.example.edu"
> SSLEnabled="true" >
> <SSLHostConfig hostName="foo.example.edu"
> protocols="TLSv1.1+TLSv1.2+TLS1.3"
> certificateVerification="none"
> honorCipherOrder="true"
>
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_RSA_WITH_AES_128_CBC_SHA
> :!TLS_RSA_WITH_AES_256_CBC_SHA
> :!TLS_RSA_WITH_AES_128_CBC_SHA256
> :!TLS_RSA_WITH_AES_256_CBC_SHA256
> :!TLS_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_RSA_WITH_AES_256_GCM_SHA384
> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
> <Certificate certificateKeystoreType="pkcs12"
>
> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" >
> </Certificate>
> </SSLHostConfig>
> </Connector>
>
> I've mapped the cipher suite names using the OpenSSL cipher suite name
> list[3]. I originally started with
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
> result, so subsequently tried adding the specific ciphers shown above. The
> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
> names may be used[4].
>
> Any suggestions on what I may be doing wrong or for further troubleshooting?
>
> References:
> [1] <https://www.ssllabs.com/ssltest/analyze.html>
> [2]
> <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
> [3]
> <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
> [4]
> <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
