You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Kreuser, Peter" <pk...@airplus.com> on 2016/09/01 09:22:45 UTC
AW: AW: TCNative 1.2.8 with openssl 1.1.0
Chris,
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 8/31/16 7:21 AM, Mark Thomas wrote:
> > On 31/08/2016 12:18, Kreuser, Peter wrote:
> >>
> >> Christopher,
> >>
> >>> On 8/30/16 10:18 AM, Kreuser, Peter wrote:
> >>>
> >>> On 30/08/2016 10:23, Kreuser, Peter wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd
> >>> proves that it is linked). I have set the cipher string to the
> >>> newly supported ciphers:
> >>>
> >>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E
> C
> >>>
> >>>
<snip>
> >>
> >> testssl.sh is running with an openssl 1.0.2 compiled with
> >> CHACHA20-support.
> >>
> >> I tried to manually access the website with this version and
> >> ECDHE-ECDSA-CHACHA20-POLY1305 without success.
> >
> > Don't you need a DSA cert to use that cipher?
>
> Yep. It's used for authentication only -- EDCHE is of course being
> used for key exchange.
>
> Nice catch. Peter, this isn't working because this cipher suite can't
> be used with your RSA certificate: you'll need a DSA cert.
>
as send to Mark before, ECDHE-RSA-CHACHA20-POLY1305 isn't working either. Plus testssl.sh is trying all ciphers no matter if key exchange is DSA or RSA.
See:
Testing all 181 locally available ciphers against the server, ordered by encryption strength
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
---------------------------------------------------------------------------------------------------------------------------
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org