You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/05/20 11:21:29 UTC
Re: Can tomcat be configured for ECDHE and DHE cipher suites
On 20/05/2016 12:18, Utkarsh Dave wrote:
> Hi Mark - Thanks.
> SSLHonorCipherOrder, cna it be configured on Tomcat ?
There would not have been much point telling you about a configuration
option you could not use would there?
It sounds like you need to spend a few minutes looking over the TLS
configuration options for the APR/native HTTP connector:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
Mark
>
> -thanks
>
> On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 20/05/2016 12:04, Jan Dosoudil wrote:
>>> Hi,
>>> do you have Java Cryptography Extension (JCE) Unlimited Strength
>>> Jurisdiction Policy Files installed?
>>
>> Irrelevant. The OP is using APR / OpenSSL.
>>
>> The available ciphers are controlled by the SSLCipherSuite which follows
>> the OpenSSL config rules for ciphers.
>>
>> You can set SSLHonorCipherOrder to enforce the server's preference order
>> if you wish.
>>
>> Mark
>>
>>
>>>
>>> JD
>>>
>>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <ut...@gmail.com>:
>>>
>>>> Sorry, I missed that information in my earlier mail.
>>>> Tomcat - 7.0.69 configured for SSL
>>>> Connector - APR
>>>> Java - jdk1.7.0_101
>>>>
>>>>
>>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 20/05/2016 11:37, Utkarsh Dave wrote:
>>>>>> Hi Users and Tomcat team,
>>>>>>
>>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound
>>>>>> traffic from 3rd parties.
>>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA over
>>>>> some
>>>>>> of the more secure cipher options offered by the 3rd party. The
>>>>>> 3rd party offers a list of 66 cipher suites that include many
>>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred
>>>> cipher
>>>>>> suite is AES256-SHA.
>>>>>> Can The tomcat be configured for ECDHE and DHE suites must be
>>>>>> available and preferred?
>>>>>
>>>>> Tomcat version?
>>>>>
>>>>> Connector type?
>>>>>
>>>>> Java version?
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can tomcat be configured for ECDHE and DHE cipher suites
Posted by Utkarsh Dave <ut...@gmail.com>.
Thanks Mark.
It appears it is client (3rd party which requests to tomcta) to choose the
cipher while negotiating. We can use SSLHonorCipherOrder
to enforce the server's cipher order.
I guess i got my answer.
-Thanks
Utkarsh Dave
On Fri, May 20, 2016 at 4:51 PM, Mark Thomas <ma...@apache.org> wrote:
> On 20/05/2016 12:18, Utkarsh Dave wrote:
> > Hi Mark - Thanks.
> > SSLHonorCipherOrder, cna it be configured on Tomcat ?
>
> There would not have been much point telling you about a configuration
> option you could not use would there?
>
> It sounds like you need to spend a few minutes looking over the TLS
> configuration options for the APR/native HTTP connector:
>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> Mark
>
>
> >
> > -thanks
> >
> > On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 20/05/2016 12:04, Jan Dosoudil wrote:
> >>> Hi,
> >>> do you have Java Cryptography Extension (JCE) Unlimited Strength
> >>> Jurisdiction Policy Files installed?
> >>
> >> Irrelevant. The OP is using APR / OpenSSL.
> >>
> >> The available ciphers are controlled by the SSLCipherSuite which follows
> >> the OpenSSL config rules for ciphers.
> >>
> >> You can set SSLHonorCipherOrder to enforce the server's preference order
> >> if you wish.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> JD
> >>>
> >>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <ut...@gmail.com>:
> >>>
> >>>> Sorry, I missed that information in my earlier mail.
> >>>> Tomcat - 7.0.69 configured for SSL
> >>>> Connector - APR
> >>>> Java - jdk1.7.0_101
> >>>>
> >>>>
> >>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org>
> wrote:
> >>>>
> >>>>> On 20/05/2016 11:37, Utkarsh Dave wrote:
> >>>>>> Hi Users and Tomcat team,
> >>>>>>
> >>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound
> >>>>>> traffic from 3rd parties.
> >>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA
> over
> >>>>> some
> >>>>>> of the more secure cipher options offered by the 3rd party. The
> >>>>>> 3rd party offers a list of 66 cipher suites that include many
> >>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred
> >>>> cipher
> >>>>>> suite is AES256-SHA.
> >>>>>> Can The tomcat be configured for ECDHE and DHE suites must be
> >>>>>> available and preferred?
> >>>>>
> >>>>> Tomcat version?
> >>>>>
> >>>>> Connector type?
> >>>>>
> >>>>> Java version?
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Can tomcat be configured for ECDHE and DHE cipher suites
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 5/25/16 10:38 AM, Mark Thomas wrote:
> On 25/05/2016 15:17, Utkarsh Dave wrote:
>> Hello Mark,
>>
>> I have a question for SSL Support - BIO and NIO. It is mention
>> that useServerCipherSuitesOrder can be used with Java 8 only So
>> is there a way (in java 7 and BIO and NIO support ) or another
>> parameter we can use with "ciphers" to force client follow the
>> order of ciphers.
>
> No.
>
>> The JSSE implementation guide documents that the client tells the
>> server which cipher suites it has available, and the server
>> chooses the best mutually acceptable cipher suite.
>
> Then the JSSE implementation guide is wrong. The client presents
> the ciphers it supports in client preference order and the server
> picks the first one it can support.
No, it doesn't. The server is free to choose whatever cipher is
mutually-supported. Unless "honor server cipher ordering" is enabled,
most servers will choose the first cipher presented by the client. The
tradition of using the client's favorite cipher suite is just that: a
tradition. It's not in the spec at all:
"
The cipher suite list, passed from the client to the server in the
ClientHello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each cipher suite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key
length), a MAC algorithm, and a PRF. The server will select a cipher
suite or, if no acceptable choices are presented, return a handshake
failure alert and close the connection. If the list contains cipher
suites the server does not recognize, support, or wish to use, the
server MUST ignore those cipher suites, and process the remaining
ones as usual.
"
(https://tools.ietf.org/html/rfc5246#page-40)
The problem here is the definition of "best". If the JSSE
implementation guide thinks that "best" is "most preferred by the
client" then it will choose the first mutually-supported cipher suite.
Your definition of "best" probably means "highest security", and so it
will fail your test while passing the client's test of "best".
This is why "honor server cipher suite order" was invented: it allows
the SERVER to decide what "best" means instead of leaving the decision
to "tradition" by whatever definition.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAldFwuAACgkQ9CaO5/Lv0PCUJwCfQhGYpK6SZJyK1vPejbVbeGe9
vJ4An3nj//KAgd2yPqx1dbktuHXjRXcn
=7y3S
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can tomcat be configured for ECDHE and DHE cipher suites
Posted by Mark Thomas <ma...@apache.org>.
On 25/05/2016 15:17, Utkarsh Dave wrote:
> Hello Mark,
>
> I have a question for SSL Support - BIO and NIO.
> It is mention that useServerCipherSuitesOrder can be used with Java 8 only
> So is there a way (in java 7 and BIO and NIO support ) or another parameter
> we can use with "ciphers" to force client follow the order of ciphers.
No.
> The JSSE implementation guide documents that the client tells the server
> which cipher suites it has available, and the server chooses the best
> mutually acceptable cipher suite.
Then the JSSE implementation guide is wrong. The client presents the
ciphers it supports in client preference order and the server picks the
first one it can support.
Mark
>
> I am facing an issue where
>
> TLS_RSA_WITH_AES_256_CBC_SHA is being chosen from all other available
> ECDHE and DHE suites.
>
> -Utkarsh
>
>
> On Fri, May 20, 2016 at 4:51 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 20/05/2016 12:18, Utkarsh Dave wrote:
>>> Hi Mark - Thanks.
>>> SSLHonorCipherOrder, cna it be configured on Tomcat ?
>>
>> There would not have been much point telling you about a configuration
>> option you could not use would there?
>>
>> It sounds like you need to spend a few minutes looking over the TLS
>> configuration options for the APR/native HTTP connector:
>>
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>>
>> Mark
>>
>>
>>>
>>> -thanks
>>>
>>> On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 20/05/2016 12:04, Jan Dosoudil wrote:
>>>>> Hi,
>>>>> do you have Java Cryptography Extension (JCE) Unlimited Strength
>>>>> Jurisdiction Policy Files installed?
>>>>
>>>> Irrelevant. The OP is using APR / OpenSSL.
>>>>
>>>> The available ciphers are controlled by the SSLCipherSuite which follows
>>>> the OpenSSL config rules for ciphers.
>>>>
>>>> You can set SSLHonorCipherOrder to enforce the server's preference order
>>>> if you wish.
>>>>
>>>> Mark
>>>>
>>>>
>>>>>
>>>>> JD
>>>>>
>>>>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <ut...@gmail.com>:
>>>>>
>>>>>> Sorry, I missed that information in my earlier mail.
>>>>>> Tomcat - 7.0.69 configured for SSL
>>>>>> Connector - APR
>>>>>> Java - jdk1.7.0_101
>>>>>>
>>>>>>
>>>>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org>
>> wrote:
>>>>>>
>>>>>>> On 20/05/2016 11:37, Utkarsh Dave wrote:
>>>>>>>> Hi Users and Tomcat team,
>>>>>>>>
>>>>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound
>>>>>>>> traffic from 3rd parties.
>>>>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA
>> over
>>>>>>> some
>>>>>>>> of the more secure cipher options offered by the 3rd party. The
>>>>>>>> 3rd party offers a list of 66 cipher suites that include many
>>>>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred
>>>>>> cipher
>>>>>>>> suite is AES256-SHA.
>>>>>>>> Can The tomcat be configured for ECDHE and DHE suites must be
>>>>>>>> available and preferred?
>>>>>>>
>>>>>>> Tomcat version?
>>>>>>>
>>>>>>> Connector type?
>>>>>>>
>>>>>>> Java version?
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can tomcat be configured for ECDHE and DHE cipher suites
Posted by Utkarsh Dave <ut...@gmail.com>.
Hello Mark,
I have a question for SSL Support - BIO and NIO.
It is mention that useServerCipherSuitesOrder can be used with Java 8 only
So is there a way (in java 7 and BIO and NIO support ) or another parameter
we can use with "ciphers" to force client follow the order of ciphers.
The JSSE implementation guide documents that the client tells the server
which cipher suites it has available, and the server chooses the best
mutually acceptable cipher suite.
I am facing an issue where
TLS_RSA_WITH_AES_256_CBC_SHA is being chosen from all other available
ECDHE and DHE suites.
-Utkarsh
On Fri, May 20, 2016 at 4:51 PM, Mark Thomas <ma...@apache.org> wrote:
> On 20/05/2016 12:18, Utkarsh Dave wrote:
> > Hi Mark - Thanks.
> > SSLHonorCipherOrder, cna it be configured on Tomcat ?
>
> There would not have been much point telling you about a configuration
> option you could not use would there?
>
> It sounds like you need to spend a few minutes looking over the TLS
> configuration options for the APR/native HTTP connector:
>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
>
> Mark
>
>
> >
> > -thanks
> >
> > On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 20/05/2016 12:04, Jan Dosoudil wrote:
> >>> Hi,
> >>> do you have Java Cryptography Extension (JCE) Unlimited Strength
> >>> Jurisdiction Policy Files installed?
> >>
> >> Irrelevant. The OP is using APR / OpenSSL.
> >>
> >> The available ciphers are controlled by the SSLCipherSuite which follows
> >> the OpenSSL config rules for ciphers.
> >>
> >> You can set SSLHonorCipherOrder to enforce the server's preference order
> >> if you wish.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> JD
> >>>
> >>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <ut...@gmail.com>:
> >>>
> >>>> Sorry, I missed that information in my earlier mail.
> >>>> Tomcat - 7.0.69 configured for SSL
> >>>> Connector - APR
> >>>> Java - jdk1.7.0_101
> >>>>
> >>>>
> >>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org>
> wrote:
> >>>>
> >>>>> On 20/05/2016 11:37, Utkarsh Dave wrote:
> >>>>>> Hi Users and Tomcat team,
> >>>>>>
> >>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound
> >>>>>> traffic from 3rd parties.
> >>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA
> over
> >>>>> some
> >>>>>> of the more secure cipher options offered by the 3rd party. The
> >>>>>> 3rd party offers a list of 66 cipher suites that include many
> >>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred
> >>>> cipher
> >>>>>> suite is AES256-SHA.
> >>>>>> Can The tomcat be configured for ECDHE and DHE suites must be
> >>>>>> available and preferred?
> >>>>>
> >>>>> Tomcat version?
> >>>>>
> >>>>> Connector type?
> >>>>>
> >>>>> Java version?
> >>>>>
> >>>>> Mark
> >>>>>
> >>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>