You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Jesso <jj...@global-matrix.com> on 2015/04/15 18:05:30 UTC
TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
I have Tomcat 6.0.41 connector set-up with:
SSLProtocol="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA"
We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
I also test my server using openssl like:
openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
SSL-Session:
Protocol : TLSv1
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
Session-ID-ctx:
Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429113767
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
This is my Tomcat start-up:
bin/startup.sh
Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
Using JRE_HOME: /usr/java6
Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
I appreciate any help.
Thx
Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by David kerber <dc...@verizon.net>.
On 4/15/2015 1:43 PM, Jason Jesso wrote:
> Actually my mistake, if I use Java 7 it seems I can't connect using openssl. It seems the secure connection does not even work when I point to Java7 .
>
> The TLS works when I used the Java 6, but I'm still stuck with the EXPORT ciphers.
Ok, you have exhausted my knowledge of the subject. Somebody else is
going to need to chime in here.
>
>
> ________________________________________
> From: David kerber [dckerber@verizon.net]
> Sent: Wednesday, April 15, 2015 1:34 PM
> To: Tomcat Users List
> Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
>
> On 4/15/2015 1:17 PM, Jason Jesso wrote:
>> I am using Java 1.6 on AIX plaform.
>>
>> /usr/java6/bin/java -version
>> java version "1.6.0"
>> Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
>> IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
>> J9VM - 20131231_180656
>> JIT - r9_20130920_46510ifx3
>> GC - GA24_Java6_SR15_20131231_1152_B180656)
>> JCL - 20140107_01
>>
>> You think this is the issue?
>
> There's a chance of it, but I don't know how IBM's java versions compare
> to Oracle's. There were quite a few things that changed in late
> versions of Java 6 and 7 w.r.t. encryption.
>
> What exact version of java 7 do you have? IMS, you need a late number
> (45, maybe?).
>
>
>>
>> ________________________________________
>> From: David kerber [dckerber@verizon.net]
>> Sent: Wednesday, April 15, 2015 12:26 PM
>> To: Tomcat Users List
>> Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
>>
>> On 4/15/2015 12:05 PM, Jason Jesso wrote:
>>> I have Tomcat 6.0.41 connector set-up with:
>>>
>>>
>>> SSLProtocol="TLSv1.1,TLSv1.2"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_RSA_WITH_AES_256_CBC_SHA256,
>>> TLS_RSA_WITH_AES_256_CBC_SHA"
>>>
>>>
>>> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>>>
>>>
>>> I also test my server using openssl like:
>>>
>>>
>>> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>>>
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : EXP-EDH-RSA-DES-CBC-SHA
>>> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
>>> Session-ID-ctx:
>>> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
>>> Key-Arg : None
>>> PSK identity: None
>>> PSK identity hint: None
>>> SRP username: None
>>> Start Time: 1429113767
>>> Timeout : 300 (sec)
>>> Verify return code: 19 (self signed certificate in certificate chain)
>>>
>>>
>>> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>>>
>>>
>>>
>>> This is my Tomcat start-up:
>>>
>>> bin/startup.sh
>>>
>>> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
>>> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
>>> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
>>> Using JRE_HOME: /usr/java6
>>> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
>>
>> What exact version of java? I think that's your issue.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
Actually my mistake, if I use Java 7 it seems I can't connect using openssl. It seems the secure connection does not even work when I point to Java7 .
The TLS works when I used the Java 6, but I'm still stuck with the EXPORT ciphers.
________________________________________
From: David kerber [dckerber@verizon.net]
Sent: Wednesday, April 15, 2015 1:34 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
On 4/15/2015 1:17 PM, Jason Jesso wrote:
> I am using Java 1.6 on AIX plaform.
>
> /usr/java6/bin/java -version
> java version "1.6.0"
> Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
> IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
> J9VM - 20131231_180656
> JIT - r9_20130920_46510ifx3
> GC - GA24_Java6_SR15_20131231_1152_B180656)
> JCL - 20140107_01
>
> You think this is the issue?
There's a chance of it, but I don't know how IBM's java versions compare
to Oracle's. There were quite a few things that changed in late
versions of Java 6 and 7 w.r.t. encryption.
What exact version of java 7 do you have? IMS, you need a late number
(45, maybe?).
>
> ________________________________________
> From: David kerber [dckerber@verizon.net]
> Sent: Wednesday, April 15, 2015 12:26 PM
> To: Tomcat Users List
> Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
>
> On 4/15/2015 12:05 PM, Jason Jesso wrote:
>> I have Tomcat 6.0.41 connector set-up with:
>>
>>
>> SSLProtocol="TLSv1.1,TLSv1.2"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_RSA_WITH_AES_256_CBC_SHA256,
>> TLS_RSA_WITH_AES_256_CBC_SHA"
>>
>>
>> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>>
>>
>> I also test my server using openssl like:
>>
>>
>> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>>
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : EXP-EDH-RSA-DES-CBC-SHA
>> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
>> Session-ID-ctx:
>> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
>> Key-Arg : None
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1429113767
>> Timeout : 300 (sec)
>> Verify return code: 19 (self signed certificate in certificate chain)
>>
>>
>> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>>
>>
>>
>> This is my Tomcat start-up:
>>
>> bin/startup.sh
>>
>> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
>> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
>> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
>> Using JRE_HOME: /usr/java6
>> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
>
> What exact version of java? I think that's your issue.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by David kerber <dc...@verizon.net>.
On 4/15/2015 1:17 PM, Jason Jesso wrote:
> I am using Java 1.6 on AIX plaform.
>
> /usr/java6/bin/java -version
> java version "1.6.0"
> Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
> IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
> J9VM - 20131231_180656
> JIT - r9_20130920_46510ifx3
> GC - GA24_Java6_SR15_20131231_1152_B180656)
> JCL - 20140107_01
>
> You think this is the issue?
There's a chance of it, but I don't know how IBM's java versions compare
to Oracle's. There were quite a few things that changed in late
versions of Java 6 and 7 w.r.t. encryption.
What exact version of java 7 do you have? IMS, you need a late number
(45, maybe?).
>
> ________________________________________
> From: David kerber [dckerber@verizon.net]
> Sent: Wednesday, April 15, 2015 12:26 PM
> To: Tomcat Users List
> Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
>
> On 4/15/2015 12:05 PM, Jason Jesso wrote:
>> I have Tomcat 6.0.41 connector set-up with:
>>
>>
>> SSLProtocol="TLSv1.1,TLSv1.2"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_RSA_WITH_AES_128_CBC_SHA,
>> TLS_RSA_WITH_AES_256_CBC_SHA256,
>> TLS_RSA_WITH_AES_256_CBC_SHA"
>>
>>
>> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>>
>>
>> I also test my server using openssl like:
>>
>>
>> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>>
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : EXP-EDH-RSA-DES-CBC-SHA
>> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
>> Session-ID-ctx:
>> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
>> Key-Arg : None
>> PSK identity: None
>> PSK identity hint: None
>> SRP username: None
>> Start Time: 1429113767
>> Timeout : 300 (sec)
>> Verify return code: 19 (self signed certificate in certificate chain)
>>
>>
>> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>>
>>
>>
>> This is my Tomcat start-up:
>>
>> bin/startup.sh
>>
>> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
>> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
>> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
>> Using JRE_HOME: /usr/java6
>> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
>
> What exact version of java? I think that's your issue.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
I also have Java 7 on the same host and got the same result.
________________________________________
From: Jason Jesso [jjesso@global-matrix.com]
Sent: Wednesday, April 15, 2015 1:17 PM
To: Tomcat Users List
Subject: RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
I am using Java 1.6 on AIX plaform.
/usr/java6/bin/java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
J9VM - 20131231_180656
JIT - r9_20130920_46510ifx3
GC - GA24_Java6_SR15_20131231_1152_B180656)
JCL - 20140107_01
You think this is the issue?
________________________________________
From: David kerber [dckerber@verizon.net]
Sent: Wednesday, April 15, 2015 12:26 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
On 4/15/2015 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>
> SSL-Session:
> Protocol : TLSv1
> Cipher : EXP-EDH-RSA-DES-CBC-SHA
> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
> Session-ID-ctx:
> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1429113767
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>
>
>
> This is my Tomcat start-up:
>
> bin/startup.sh
>
> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
> Using JRE_HOME: /usr/java6
> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
What exact version of java? I think that's your issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
I am using Java 1.6 on AIX plaform.
/usr/java6/bin/java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
J9VM - 20131231_180656
JIT - r9_20130920_46510ifx3
GC - GA24_Java6_SR15_20131231_1152_B180656)
JCL - 20140107_01
You think this is the issue?
________________________________________
From: David kerber [dckerber@verizon.net]
Sent: Wednesday, April 15, 2015 12:26 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
On 4/15/2015 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>
> SSL-Session:
> Protocol : TLSv1
> Cipher : EXP-EDH-RSA-DES-CBC-SHA
> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
> Session-ID-ctx:
> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1429113767
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>
>
>
> This is my Tomcat start-up:
>
> bin/startup.sh
>
> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
> Using JRE_HOME: /usr/java6
> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
What exact version of java? I think that's your issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by David kerber <dc...@verizon.net>.
On 4/15/2015 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>
> SSL-Session:
> Protocol : TLSv1
> Cipher : EXP-EDH-RSA-DES-CBC-SHA
> Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
> Session-ID-ctx:
> Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1429113767
> Timeout : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good.
>
>
>
> This is my Tomcat start-up:
>
> bin/startup.sh
>
> Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
> Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
> Using JRE_HOME: /usr/java6
> Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
What exact version of java? I think that's your issue.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
I think the difference is in the cipher list.
I've been trying many things and someone else I know was successful in the JBoss world so I took what they used and used it in Tomcat. It works.
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Thursday, April 16, 2015 8:45 AM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jason,
On 4/16/15 7:48 AM, Jason Jesso wrote:
> My goal was to disable the EXPORT ciphers and not be able to
> connect with:
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null
> 2>/dev/null
I think your goal was pretty clear.
> I am using Java 6 and Tomcat 6 and we got it working with the
> following config in the connector:
>
>
> sslProtocols = "TLSv1, TLSv1.1,TLSv1.2"
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
So your problem was using SSLProtocol instead of sslProtocol.
I'm a little concerned that Tomcat seemed to ignore your cipher list
when the sslProtocol wasn't being specified.
Can you confirm that if you change the "sslProtocol" back to
"SSLProtocol" with no other changes, the problem comes back? If so,
please log a bug in Bugzilla: the ciphers list should apply even if
you are accepting the default protocol list.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVL67OAAoJEBzwKT+lPKRYQMkQAKla35I1A2xZ7AcxPmsGrr1W
g/kv+iphARtQchAPs3BV7I9DtvqDcfb3v5PQe4WxOV8smWs7bWIf1naxyaXnBO97
UD7K2nkzG8baYtcUVMs5ne/DSRvkQiiWZr8x6iBWS5ECanzD3fnP1UMXz9P8UAJT
VRZNevg/diRu3bU1U7YlwET8xVtN1iPnH4fyVf8M3/byIGFjLzTWhojCMv/u3+Qw
hZw0Q6anh7YETMoF/ZEvLumnWSzDRRiCaufLHKgcGW2r0gP3S+bf1TuxyHBOB3xy
+i0FDH355MRW90q2JsMBTiIs92fMYP3LnlxWOWGQtbai5vUQZxMpQKsFNYgAn5JI
F7hVYbCc4HU1Yr7vD6krH5o5GDVIx63uT+V+fqQR30qluxFUbi7pWSpaaQ318bkd
AqjnfMZIj62AAzI2pvG9Azsyy0UOPa/5Km5XGZDz6IEVRr+jwxTcnrYGwQBaiNhK
2icEDbnzLUI2FHjG6ScTUdiFWgcVWKb2pBLthU2s7eqiVR+TJ0/rwM7EG6HNm4Ad
d9XQRWfCP3HJRtl1x+Osf1LOeX1oCQQpCojXdL63TKQtYeH49jeF9yNV8OIRmlF4
oeL9I0hGh6o9dFRX+dGAko2Gx5oMlh5amTvQcCBx1BSFv4wBH6gdmPUXd6hU7QYZ
7Hn8wPaYMUYnLPUCOQ7X
=IxA9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
The case made no difference.
Still works.
Jason Jesso | Senior Systems Programmer
Direct: (905)752-8238
Toll Free: 1(800)387-1245 | Ext. 238
Fax: (905)479-5421
Web Site: global-matrix.com
Blog Site: travelagentmusings.com
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Thursday, April 16, 2015 8:45 AM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jason,
On 4/16/15 7:48 AM, Jason Jesso wrote:
> My goal was to disable the EXPORT ciphers and not be able to
> connect with:
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null
> 2>/dev/null
I think your goal was pretty clear.
> I am using Java 6 and Tomcat 6 and we got it working with the
> following config in the connector:
>
>
> sslProtocols = "TLSv1, TLSv1.1,TLSv1.2"
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
So your problem was using SSLProtocol instead of sslProtocol.
I'm a little concerned that Tomcat seemed to ignore your cipher list
when the sslProtocol wasn't being specified.
Can you confirm that if you change the "sslProtocol" back to
"SSLProtocol" with no other changes, the problem comes back? If so,
please log a bug in Bugzilla: the ciphers list should apply even if
you are accepting the default protocol list.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVL67OAAoJEBzwKT+lPKRYQMkQAKla35I1A2xZ7AcxPmsGrr1W
g/kv+iphARtQchAPs3BV7I9DtvqDcfb3v5PQe4WxOV8smWs7bWIf1naxyaXnBO97
UD7K2nkzG8baYtcUVMs5ne/DSRvkQiiWZr8x6iBWS5ECanzD3fnP1UMXz9P8UAJT
VRZNevg/diRu3bU1U7YlwET8xVtN1iPnH4fyVf8M3/byIGFjLzTWhojCMv/u3+Qw
hZw0Q6anh7YETMoF/ZEvLumnWSzDRRiCaufLHKgcGW2r0gP3S+bf1TuxyHBOB3xy
+i0FDH355MRW90q2JsMBTiIs92fMYP3LnlxWOWGQtbai5vUQZxMpQKsFNYgAn5JI
F7hVYbCc4HU1Yr7vD6krH5o5GDVIx63uT+V+fqQR30qluxFUbi7pWSpaaQ318bkd
AqjnfMZIj62AAzI2pvG9Azsyy0UOPa/5Km5XGZDz6IEVRr+jwxTcnrYGwQBaiNhK
2icEDbnzLUI2FHjG6ScTUdiFWgcVWKb2pBLthU2s7eqiVR+TJ0/rwM7EG6HNm4Ad
d9XQRWfCP3HJRtl1x+Osf1LOeX1oCQQpCojXdL63TKQtYeH49jeF9yNV8OIRmlF4
oeL9I0hGh6o9dFRX+dGAko2Gx5oMlh5amTvQcCBx1BSFv4wBH6gdmPUXd6hU7QYZ
7Hn8wPaYMUYnLPUCOQ7X
=IxA9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jason,
On 4/16/15 7:48 AM, Jason Jesso wrote:
> My goal was to disable the EXPORT ciphers and not be able to
> connect with:
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null
> 2>/dev/null
I think your goal was pretty clear.
> I am using Java 6 and Tomcat 6 and we got it working with the
> following config in the connector:
>
>
> sslProtocols = "TLSv1, TLSv1.1,TLSv1.2"
> ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
So your problem was using SSLProtocol instead of sslProtocol.
I'm a little concerned that Tomcat seemed to ignore your cipher list
when the sslProtocol wasn't being specified.
Can you confirm that if you change the "sslProtocol" back to
"SSLProtocol" with no other changes, the problem comes back? If so,
please log a bug in Bugzilla: the ciphers list should apply even if
you are accepting the default protocol list.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVL67OAAoJEBzwKT+lPKRYQMkQAKla35I1A2xZ7AcxPmsGrr1W
g/kv+iphARtQchAPs3BV7I9DtvqDcfb3v5PQe4WxOV8smWs7bWIf1naxyaXnBO97
UD7K2nkzG8baYtcUVMs5ne/DSRvkQiiWZr8x6iBWS5ECanzD3fnP1UMXz9P8UAJT
VRZNevg/diRu3bU1U7YlwET8xVtN1iPnH4fyVf8M3/byIGFjLzTWhojCMv/u3+Qw
hZw0Q6anh7YETMoF/ZEvLumnWSzDRRiCaufLHKgcGW2r0gP3S+bf1TuxyHBOB3xy
+i0FDH355MRW90q2JsMBTiIs92fMYP3LnlxWOWGQtbai5vUQZxMpQKsFNYgAn5JI
F7hVYbCc4HU1Yr7vD6krH5o5GDVIx63uT+V+fqQR30qluxFUbi7pWSpaaQ318bkd
AqjnfMZIj62AAzI2pvG9Azsyy0UOPa/5Km5XGZDz6IEVRr+jwxTcnrYGwQBaiNhK
2icEDbnzLUI2FHjG6ScTUdiFWgcVWKb2pBLthU2s7eqiVR+TJ0/rwM7EG6HNm4Ad
d9XQRWfCP3HJRtl1x+Osf1LOeX1oCQQpCojXdL63TKQtYeH49jeF9yNV8OIRmlF4
oeL9I0hGh6o9dFRX+dGAko2Gx5oMlh5amTvQcCBx1BSFv4wBH6gdmPUXd6hU7QYZ
7Hn8wPaYMUYnLPUCOQ7X
=IxA9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Jason Jesso <jj...@global-matrix.com>.
My goal was to disable the EXPORT ciphers and not be able to connect with:
openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
I am using Java 6 and Tomcat 6 and we got it working with the following config in the connector:
sslProtocols = "TLSv1, TLSv1.1,TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
CONNECTED(00000004)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 73 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Problem solved for us.
Thanks for your help!
________________________________________
From: Christopher Schultz [chris@christopherschultz.net]
Sent: Thursday, April 16, 2015 1:01 AM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jason,
On 4/15/15 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites
> (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null
> 2>/dev/null
>
> SSL-Session: Protocol : TLSv1 Cipher : EXP-EDH-RSA-DES-CBC-SHA
> Session-ID:
> 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
> Session-ID-ctx: Master-Key:
> 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B520
5965423F162D44A0814892779A
>
>
Key-Arg : None
> PSK identity: None PSK identity hint: None SRP username: None Start
> Time: 1429113767 Timeout : 300 (sec) Verify return code: 19 (self
> signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher. I do not know why, since
> I thought the ciphers I specify in the "ciphers" variable is good.
>
> [later] I am using Java 1.6 on AIX plaform.
Java 6 does not support TLS1.2:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardN
ames.html#SSLContext
You'll need Java 7 for TLS1.2, plus recent builds of Java 7 disable
SSLv3, which is why you can't connect to a Java-7-based Tomcat. You'll
need to use "openssl s_client -tls1_2", etc. if you want to connect.
A few notes:
1. You can't specify multiple protocols in SSLProtocols: choose the
highest one you intend to support (e.g. "TLS1.2").
2. You are using SSLProtocol (notice the capitalization) instead of
sslProtocol. The former is to be used with the APR (native) connector
and the latter is to be used with the JSSE-based connectors. Which one
are you using?
3. The "ciphers" setting is for JSSE while the SSLCipherSuite setting
is for use with the APR (native) connector. Which one are you using?
4. If you are using JSSE, you should probably use sslEnabledProtocols
to ensure that you are getting only the list of protocols you actually
want to enable. If you use "TLSv1.2" in JSSE, it will support the
other protocols down to TLSv1 unless you explicitly disable them.
So, first decide which connector you are using (APR vs. pure-Java) and
then make sure you configure it using the correct configuration
attributes:
Java-based: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
APR-based: http://tomcat.apache.org/tomcat-6.0-doc/apr.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVL0ImAAoJEBzwKT+lPKRYmpoQALTEp+3P64Mp/95DZqREWLCc
W1sYXrQ72re6H51KZQEBrh80ueMyT3FdFhZrePnOluvggfE5L5SCqMkgoqVszJQW
lSCiPFGuzhHREnO+znvB6lfRnmYTt3cntLmAhNH72OTTZ7G1rC7msTBOalmTrwPn
NaKgvOWG0DX8EjGWfCz8GElL5pasnkqZg6Ochl1AzkZVXAvd9QXrKZAql6/S4lWr
RPD0onDOyRNLNnUXlmPkZj6puQOxfWOGc8W6jS2GD9cnlTdl5b/8IwTip+hQT+Ia
GsqumygcM/yxEN8MY8uqJR1sywGT1k0mcrcqCFVbk3zP9eWPc5dNGTfqzjmxxN9B
FbpfSGmDqsduYlkceZ48D9Dp4GK3qL3Z1xNY1stXUyi4nvvGVFk8obh8ChtjkyQx
u0Uz48cuzUiNkRX819OmUOV3hT12cWcAnciJBOGpy/aD3AGOSqOhztUXu+szWzg5
ThK6y1Jfb7gQPNGzDDbhJHyoUSsHiNU3WG9sptYMkvUdOEpu3hg6DECmnitBapgg
NatcJrXXsAN03L6haD6rozEu9x82XKk0OzeHcO+AT+9QtCnoawccH9MOSZKHOVzP
KtKCN6NSZQu8HW3x7q4DrP1oRfyAA42Tb0EG1X2tX6r7CXVlVZxRYwFgK3FBwgEp
RJuTEcImuel3LQegh9CI
=P9s2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jason,
On 4/15/15 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites
> (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null
> 2>/dev/null
>
> SSL-Session: Protocol : TLSv1 Cipher : EXP-EDH-RSA-DES-CBC-SHA
> Session-ID:
> 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
> Session-ID-ctx: Master-Key:
> 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B520
5965423F162D44A0814892779A
>
>
Key-Arg : None
> PSK identity: None PSK identity hint: None SRP username: None Start
> Time: 1429113767 Timeout : 300 (sec) Verify return code: 19 (self
> signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher. I do not know why, since
> I thought the ciphers I specify in the "ciphers" variable is good.
>
> [later] I am using Java 1.6 on AIX plaform.
Java 6 does not support TLS1.2:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardN
ames.html#SSLContext
You'll need Java 7 for TLS1.2, plus recent builds of Java 7 disable
SSLv3, which is why you can't connect to a Java-7-based Tomcat. You'll
need to use "openssl s_client -tls1_2", etc. if you want to connect.
A few notes:
1. You can't specify multiple protocols in SSLProtocols: choose the
highest one you intend to support (e.g. "TLS1.2").
2. You are using SSLProtocol (notice the capitalization) instead of
sslProtocol. The former is to be used with the APR (native) connector
and the latter is to be used with the JSSE-based connectors. Which one
are you using?
3. The "ciphers" setting is for JSSE while the SSLCipherSuite setting
is for use with the APR (native) connector. Which one are you using?
4. If you are using JSSE, you should probably use sslEnabledProtocols
to ensure that you are getting only the list of protocols you actually
want to enable. If you use "TLSv1.2" in JSSE, it will support the
other protocols down to TLSv1 unless you explicitly disable them.
So, first decide which connector you are using (APR vs. pure-Java) and
then make sure you configure it using the correct configuration
attributes:
Java-based: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
APR-based: http://tomcat.apache.org/tomcat-6.0-doc/apr.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVL0ImAAoJEBzwKT+lPKRYmpoQALTEp+3P64Mp/95DZqREWLCc
W1sYXrQ72re6H51KZQEBrh80ueMyT3FdFhZrePnOluvggfE5L5SCqMkgoqVszJQW
lSCiPFGuzhHREnO+znvB6lfRnmYTt3cntLmAhNH72OTTZ7G1rC7msTBOalmTrwPn
NaKgvOWG0DX8EjGWfCz8GElL5pasnkqZg6Ochl1AzkZVXAvd9QXrKZAql6/S4lWr
RPD0onDOyRNLNnUXlmPkZj6puQOxfWOGc8W6jS2GD9cnlTdl5b/8IwTip+hQT+Ia
GsqumygcM/yxEN8MY8uqJR1sywGT1k0mcrcqCFVbk3zP9eWPc5dNGTfqzjmxxN9B
FbpfSGmDqsduYlkceZ48D9Dp4GK3qL3Z1xNY1stXUyi4nvvGVFk8obh8ChtjkyQx
u0Uz48cuzUiNkRX819OmUOV3hT12cWcAnciJBOGpy/aD3AGOSqOhztUXu+szWzg5
ThK6y1Jfb7gQPNGzDDbhJHyoUSsHiNU3WG9sptYMkvUdOEpu3hg6DECmnitBapgg
NatcJrXXsAN03L6haD6rozEu9x82XKk0OzeHcO+AT+9QtCnoawccH9MOSZKHOVzP
KtKCN6NSZQu8HW3x7q4DrP1oRfyAA42Tb0EG1X2tX6r7CXVlVZxRYwFgK3FBwgEp
RJuTEcImuel3LQegh9CI
=P9s2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org