> Am 02.01.2020 um 17:13 schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 1/2/20 04:24, logo wrote:
>
>> There may be an issue with the provided/available ciphers!
>>
>> The connector comes up correctly, is accessible through the browser
>> but if I test the ssl setup, I get an error message that the
>> key/cert may not be used for "Key agreement"
>>
>> See: testssl.sh <tomcat>:8443
>>
>> Signature Algorithm ECDSA with SHA256 Server key size
>> EC 256 bits Server key usage Digital Signature, Key
>> Encipherment Certificate incorrectly used for key agreement Server
>> extended key usage TLS Web Server Authentication, TLS Web Client
>> Authentication
>>
>> I cannot find the reason for that yet, testssl complains if there
>> are TLS_ECDH_*-ciphers with the wrong server key usage. The setup
>> may be causing troubles in testssl.sh as Tomcat provides ciphers
>> that maybe should not be available with ECDSA certs (? _RSA???
>> Maybe even ECDH_ECDSA???)?
>>
>> Testing 370 ciphers via OpenSSL plus sockets against the server,
>> ordered by encryption strength
>>
>> Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption
>> Bits Cipher Suite Name (IANA/RFC)
>> ----------------------------------------------------------------------
> - -------------------------------------------------------
>>
>>
>>
<snip>
>> There is probably more complexity to implementation of ECDSA in
>> Tomcat with JSSE?!?
>
> I seem to remember a bug where Tomcat does not check the "usage" of a
> key before trying to use it. I couldn't find it in BZ, maybe it was
> fixed in some partial way.
>
> What do those lists represent? All the cipher suites tried, or all
> that connected successfully?
>
testssl.sh [1] tries a list of 370 ciphers. Apparently those are the successful
socket connects.
[1] https://github.com/drwetter/testssl.sh
Peter
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4OFroACgkQHPApP6U8
> pFifJw//befvNHGem8GtKH5ds3bEdZk/nvxi1FsytOMA7YplenYI7LxnPrHYeQj0
> L6jUxgYJk5canTmCi/Zw2st03wCAXCfO+AHUYDu4TwA+Ml7ij+cmwtt5Di9onhg0
> c23bDS8WNkiTA6aW4dX5RgPj7+C60k8he+uLCpeoDjWh6b778IR7UcRdd+9uFdVU
> wx4ILhl1MNnbQeyH6UMolQA4ms+4HG09mDYcQwK4B5VejQnbtzud1hkB0mJJCCes
> MbSaE/6BA4cs9feHV8rzWqy1EW5v9MyfbgNweFMS2GJXHNr1mMiUbmW5clnGphL5
> OhLonEA8FFaceuutePz+LefQiznsbCBljSuKTB4nzy14KY3mDBAyxp3N3SLD+Rno
> Aowhp657foWlre652MORmgK7KZWGg8PZ3fxtIuGXFxk9uY0Ib0x3jvvMxm0XWMW0
> BysOmO1LW6kDKUBZSxBh1ZBq4hExySWdn2wT8n4tbYnPdDcun1EjXKSYofKevRXP
> +CDY8GER1TpLasiDbL9FHYcEtOIsKgGg85REfB13zlMkUNleTEinM7laLQnUFyIt
> hHB7Ua28lykMI3CpaOWDFfNhtzsRW5TRh7DT84OCqnnQQl3vz0Xxr6pg1dPT3M+o
> Ns3Hcr/MhgD05sOcA9i3hGRmtpRcYYznqQYdTMSxjb9HWzEjDpk=
> =A9OL
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org