You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexandre Adao <al...@gmail.com> on 2018/04/25 15:06:37 UTC
How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
I am currently running Apache Tomcat 9.0.6. I would like to disable the
Weak Cipher like TLS_DHE or what will be the best Cipher type to get "A"
from SSlabs test.
the SSLImplementation selected. JSSE style configuration is used
below.
-->
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="conf/xxx.key"
certificateFile="conf/xxx.crt"
certificateChainFile="conf/ixxxxxx-bundle"
type="RSA" />
</SSLHostConfig>
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Alexandre Adao <al...@gmail.com>.
Thank you for your help. I really appreciated. This is my current settings
on Cipher Tomcat 9.0.6 and It has received grade "A" from SS Labs.
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
maxHttpHeaderSize="32767"
maxThreads="150"
URIEncoding="UTF-8"
compression="on"
defaultSSLHostConfigName="my.server.edu">
<SSLHostConfig hostName="my.server.edu"
honorCipherOrder="true"
disableSessionTickets="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSVF">
<Certificate certificateKeyFile="conf/idp.key"
certificateFile="conf/my.server.crt"
certificateChainFile="conf/my.sever.edu.ca-bundle"
type="RSA" />
</SSLHostConfig>
</Connector>
On Wed, Apr 25, 2018 at 1:05 PM, Pierre Chiu <pc...@gmail.com> wrote:
> That was an A+ as of 2017. SSL Labs changes their check multiple times
> since then and we never revisit the setup.
>
> Admin blocked port 80 doesn't help either. 80 is supposed to do a
> redirection :)
>
>
>
> > On Apr 25, 2018, at 12:41 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Pierre,
> >
> > On 4/25/18 12:16 PM, Pierre Chiu wrote:
> >
> > The
> > A+ is coming from your use of HSTS. If you had not enabled HSTS,
> > you wouldn't get the A+.
> >
> > Note that SSLLabs considers some of your cipher suites as "weak" (e.g.
> > TLS_RSA_WITH_AES_256_GCM_SHA384) and yet you still get an A+ rating.
> >
> > Those ratings are quite subjective as you can see.
> >
> > Thanks,
> > - -chris
> >
> > -----BEGIN PGP SIGNATURE-----
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgr7cACgkQHPApP6U8
> > pFiS/BAAxUsT9iLMkZaKdcsVog2Kp/p5ImVuU2qbgjJLGujf54kDHF2YBanMhALy
> > SnBi1TbAu+WtXWSJdDtoqdynXUpcDNBxOeqklYGulfWabZLBR+vI3tYNsXDTSAZN
> > XGclvLIL6pzHApsjpbs+yfarUBsSfu2cGuX2hgZlOuAyp1S7ZvlP6g1qEhTYEZn3
> > I7WqLYZOZJ7B5Ne1v2fmX4VnsXOxJoXIQsHmWSEXJHdyBFp07DYwjQPACJFxiT4V
> > Lu8Utk64rbcEW80wC6Cz8d5llWo7eJFrY9+RpjwG6EkkarSCsY+K3j9W0IImjFXb
> > UFzuxXzTNyf0iSFYCGYtrWG00kNbLvr+OM2j7YZwjoN9OSZbuXbcBzuM7x5/iKQm
> > sguQ/7sb/p0AovWCQ2/Z6I7BcZ0pZ0iGhX2n6QZamDfCAo7otFYrsrh1yakve5Uu
> > mxSRDmDjNqsD78GgAJIyQiB72FDp1xhq++QpclHVZLu6I97DxlvjjNg04LhkLoeO
> > U1IALpqCPkaNLim1mTPczUZdjV9ApG4tzv5SwaptiHSvdxxKXjAzYvqlIAO46rL3
> > fTBAfE4GNkVhFvRiBP5Ofe+fg+LPnBhtB0xZktm3guhEQEjxvHNcRAxwHV0O0R93
> > N3GHAa6T0HqrEoBB7VjQO7ZiXvLElnKvOMKbnHz2T5MGtWNycyI=
> > =PFum
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Pierre Chiu <pc...@gmail.com>.
That was an A+ as of 2017. SSL Labs changes their check multiple times since then and we never revisit the setup.
Admin blocked port 80 doesn't help either. 80 is supposed to do a redirection :)
> On Apr 25, 2018, at 12:41 PM, Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Pierre,
>
> On 4/25/18 12:16 PM, Pierre Chiu wrote:
>
> The
> A+ is coming from your use of HSTS. If you had not enabled HSTS,
> you wouldn't get the A+.
>
> Note that SSLLabs considers some of your cipher suites as "weak" (e.g.
> TLS_RSA_WITH_AES_256_GCM_SHA384) and yet you still get an A+ rating.
>
> Those ratings are quite subjective as you can see.
>
> Thanks,
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgr7cACgkQHPApP6U8
> pFiS/BAAxUsT9iLMkZaKdcsVog2Kp/p5ImVuU2qbgjJLGujf54kDHF2YBanMhALy
> SnBi1TbAu+WtXWSJdDtoqdynXUpcDNBxOeqklYGulfWabZLBR+vI3tYNsXDTSAZN
> XGclvLIL6pzHApsjpbs+yfarUBsSfu2cGuX2hgZlOuAyp1S7ZvlP6g1qEhTYEZn3
> I7WqLYZOZJ7B5Ne1v2fmX4VnsXOxJoXIQsHmWSEXJHdyBFp07DYwjQPACJFxiT4V
> Lu8Utk64rbcEW80wC6Cz8d5llWo7eJFrY9+RpjwG6EkkarSCsY+K3j9W0IImjFXb
> UFzuxXzTNyf0iSFYCGYtrWG00kNbLvr+OM2j7YZwjoN9OSZbuXbcBzuM7x5/iKQm
> sguQ/7sb/p0AovWCQ2/Z6I7BcZ0pZ0iGhX2n6QZamDfCAo7otFYrsrh1yakve5Uu
> mxSRDmDjNqsD78GgAJIyQiB72FDp1xhq++QpclHVZLu6I97DxlvjjNg04LhkLoeO
> U1IALpqCPkaNLim1mTPczUZdjV9ApG4tzv5SwaptiHSvdxxKXjAzYvqlIAO46rL3
> fTBAfE4GNkVhFvRiBP5Ofe+fg+LPnBhtB0xZktm3guhEQEjxvHNcRAxwHV0O0R93
> N3GHAa6T0HqrEoBB7VjQO7ZiXvLElnKvOMKbnHz2T5MGtWNycyI=
> =PFum
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pierre,
On 4/25/18 12:16 PM, Pierre Chiu wrote:
The
A+ is coming from your use of HSTS. If you had not enabled HSTS,
you wouldn't get the A+.
Note that SSLLabs considers some of your cipher suites as "weak" (e.g.
TLS_RSA_WITH_AES_256_GCM_SHA384) and yet you still get an A+ rating.
Those ratings are quite subjective as you can see.
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgr7cACgkQHPApP6U8
pFiS/BAAxUsT9iLMkZaKdcsVog2Kp/p5ImVuU2qbgjJLGujf54kDHF2YBanMhALy
SnBi1TbAu+WtXWSJdDtoqdynXUpcDNBxOeqklYGulfWabZLBR+vI3tYNsXDTSAZN
XGclvLIL6pzHApsjpbs+yfarUBsSfu2cGuX2hgZlOuAyp1S7ZvlP6g1qEhTYEZn3
I7WqLYZOZJ7B5Ne1v2fmX4VnsXOxJoXIQsHmWSEXJHdyBFp07DYwjQPACJFxiT4V
Lu8Utk64rbcEW80wC6Cz8d5llWo7eJFrY9+RpjwG6EkkarSCsY+K3j9W0IImjFXb
UFzuxXzTNyf0iSFYCGYtrWG00kNbLvr+OM2j7YZwjoN9OSZbuXbcBzuM7x5/iKQm
sguQ/7sb/p0AovWCQ2/Z6I7BcZ0pZ0iGhX2n6QZamDfCAo7otFYrsrh1yakve5Uu
mxSRDmDjNqsD78GgAJIyQiB72FDp1xhq++QpclHVZLu6I97DxlvjjNg04LhkLoeO
U1IALpqCPkaNLim1mTPczUZdjV9ApG4tzv5SwaptiHSvdxxKXjAzYvqlIAO46rL3
fTBAfE4GNkVhFvRiBP5Ofe+fg+LPnBhtB0xZktm3guhEQEjxvHNcRAxwHV0O0R93
N3GHAa6T0HqrEoBB7VjQO7ZiXvLElnKvOMKbnHz2T5MGtWNycyI=
=PFum
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pierre,
On 4/25/18 12:16 PM, Pierre Chiu wrote:
> Hi Alexandre,
>
> This is what I am doing. A+ on SSLabs.
>
> https://orclcs.blogspot.ca/2017/03/tomcat-9-java-8-with-https.html
> <https://orclcs.blogspot.ca/2017/03/tomcat-9-java-8-with-https.html>
The
>
>
A+ is coming from your use of HSTS. If you had not enabled HSTS,
you wouldn't get the A+.
Note that SSLLabs considers some of your cipher suites as "weak" (e.g.
TLS_RSA_WITH_AES_256_GCM_SHA384) and yet you still get an A+ rating.
Those ratings are quite subjective as you can see.
Thanks,
- -chris
>> On Apr 25, 2018, at 11:06 AM, Alexandre Adao
>> <al...@gmail.com> wrote:
>>
>> I am currently running Apache Tomcat 9.0.6. I would like to
>> disable the Weak Cipher like TLS_DHE or what will be the best
>> Cipher type to get "A" from SSlabs test.
>>
>>
>> the SSLImplementation selected. JSSE style configuration is used
>> below. -->
>>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate
>> certificateKeyFile="conf/xxx.key" certificateFile="conf/xxx.crt"
>> certificateChainFile="conf/ixxxxxx-bundle" type="RSA" />
>> </SSLHostConfig>
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgr7gACgkQHPApP6U8
pFiI6RAAjU4mJhOdWRoCLu2L6GTtKnUlWrqo15sVs/xAJgoRuN7SKsZtsaM8cTzh
NOz2+vQs0XHtEH98xuXStqdejLp5iQxCBwY4bqnkRzqimjtJrjkUnwEqQ9TAO5na
OL9m4F6a+LCLb9RjyE9c4tD09RbV8L4y7KI2VOuOoH2PO2gGmeeEN4IFY3navpf3
8b5l979POGuNP1fa2sCfvpqC8kCiMyvjtPORuuHJd40gxB5WqD9D5WfNbCrAufT0
dyyj5JeCFR2MX8WT1vJdtMRCMV77Bn4NvKcso3Raqw4JwYaw/Oxu20fpgIrqf3zG
igMmcu3CPJg3tX0uNOrMulEBAVcKWtgASPolpprgOiRI+lWqIiXA/L7zHWUDVMZT
pLZj9CuHi3ZwbDlc3IqLW1ED4uv6IqyZQCERiWN0wTcYm11ver2uthdsxqcqFYNZ
ob0QvFC2qTrzjsosTTpP08ISHdeLWpJBgd+48KzBpy/rOqTibDA/eVt9hf3XoHH0
J8UuXlJ7JCjraQoYe0lNsZFiql9SpjNNzjpvthpPTirfbrnVevffqUJdypRtUvFp
xuZzrxQh3dvN1nJ6HL1Ua3Yrv6u5mk2EqAg5Y/qxKiHmfeus7MCy+sVcuexUhbVD
zQnzZKbES20gITwYwUQ6ioTbl+lunTaNB4rf0RTTgkecm/q1/vg=
=As6K
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Pierre Chiu <pc...@gmail.com>.
Hi Alexandre,
This is what I am doing. A+ on SSLabs.
https://orclcs.blogspot.ca/2017/03/tomcat-9-java-8-with-https.html <https://orclcs.blogspot.ca/2017/03/tomcat-9-java-8-with-https.html>
> On Apr 25, 2018, at 11:06 AM, Alexandre Adao <al...@gmail.com> wrote:
>
> I am currently running Apache Tomcat 9.0.6. I would like to disable the
> Weak Cipher like TLS_DHE or what will be the best Cipher type to get "A"
> from SSlabs test.
>
>
> the SSLImplementation selected. JSSE style configuration is used
> below.
> -->
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true">
> <SSLHostConfig>
> <Certificate certificateKeyFile="conf/xxx.key"
> certificateFile="conf/xxx.crt"
> certificateChainFile="conf/ixxxxxx-bundle"
> type="RSA" />
> </SSLHostConfig>
Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Alexandre,
On 4/25/18 11:06 AM, Alexandre Adao wrote:
> I am currently running Apache Tomcat 9.0.6. I would like to disable
> the Weak Cipher like TLS_DHE or what will be the best Cipher type
> to get "A" from SSlabs test.
>
>
> the SSLImplementation selected. JSSE style configuration is used
> below. -->
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate
> certificateKeyFile="conf/xxx.key" certificateFile="conf/xxx.crt"
> certificateChainFile="conf/ixxxxxx-bundle" type="RSA" />
> </SSLHostConfig>
Have a look at this page on the Wiki:
https://wiki.apache.org/tomcat/Security/Ciphers
It looks like that page could use some updating with the most-recent
versions of Tomcat/Java.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgqGQACgkQHPApP6U8
pFjacA//RSI31Pc9nEq8HVeAFfDgX9k5/jc/WdJL9B8OHP8AFNYajkEqWVeqQ2Um
MamvJ/Hvia/Ixy7Mlwfm27+NhedYi0ZSThsLArZh5C3LTeUjCTg1tT2WQkvJBVUp
njDHKVCELX1hoO8CngsGWuK14bEjGqsauSm+HoamQ/4zo365afpQAgaBSGiu80i2
kgMXGoLCVl8N755tBYLuS3tsTj4RerXjXQlg6QLnrIRCl2WMveI2NttHuD8fDdhE
FHeQU12wm4m0CzWk4XhJ28JNA064rYRtqi9sklPQpEWg2SVubVgdRYYuLek2z8yv
bmbyGo7RZU/Lf/uKAhfjeoD1g+wxZln2TOZVf+j33CKVhBeIVTPLZlOKYxYiz24f
e8cDvsn0974YaoHXwaVqbhSsUUeerLrt+vzZwbfTbC8/+dvdwZM4x42+rYyjBEqU
CeZ7M7Jh5iwht7zJ3DBpXFQSoms8fGtU0vFHU/yIeR/a1/wWxbGJTsKpYbXX+s5E
aWebMnvnGwhRNtYQ/FsDP9BvXcIy/eNIyxubJ45nY4MWNo+CQPm9UkXvQRgMewuK
Uy19EKVZfudb33EDlejSYLiyyYKj+W0Nn6GWpvUrRgcQPXQCo5ZsD6JwDKG2orCe
RXnIJmZnoZkJkDpledx1Uujbt5HSmYHV09bMfUCTPJipOvpsmBw=
=bA7P
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org