You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Todd <mi...@gmail.com> on 2017/06/23 16:53:15 UTC
Re: AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers
list ignored
I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be
ignored, regardless of what I put in SSLAbs and validating via browser on my
website a set of ciphers is used that I have not listed.
I am able to change protocols (for instance, I can remove TLSv1 and the
system correctly makes that change), but any changes to ciphers is
completely ignored. I've tried adding just one cipher, I've tried OpenSSL
and Standard cipher names, I've put in gibberish. All end in the exact same
result, no errors in the log and a list of cipher suites that I did not get
to pick.
I've also validated that the ciphers that I want to use are available to
Java - using 1.8, (
http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results
<http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results>
)
Really appreciate help or direction that anyone can give!
Todd
My relevant config:
--
View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Todd,
On 6/30/17 1:30 PM, Todd wrote:
> Christopher Schultz-2 wrote
>> Yup: if you use iptables (ipchains hasn't been used in ...
>> decades?) to do port-redirection, then you are in fact hitting
>> Tomcat / JVM (essentially) directly.
>
> Yes - iptables, sorry brain fart.
>
>
> Christopher Schultz-2 wrote
>> Can you confirm whether or not you are using the OpenSSL
>> provider?
>
> How can I verify my provider?
>
>
> Christopher Schultz-2 wrote
>> What version of OpenSSL are you using? These cipher suites should
>> have well-known names and numeric identifiers (which is how the
>> TLS handshake works), but it looks like the cipher suite names
>> are somehow being confused.
>
> OpenSSL 1.0.2g
>
>
> Christopher Schultz-2 wrote
>> What happens if you narrow your cipher suite list down to a
>> single cipher? Does ssllabs report just a single available cipher
>> (even if it's not the one you configured)?
>>
>> - -chris
>
> Whether I put in a single cipher, literal garbage text, or the list
> that I want - ssllabs reports the same list of ciphers detected as
> I posted above. I also get the same cipher on Chrome that is not in
> the list I'm putting in my configuration as well.
This really sounds like something else is going on.
Are you *sure* that your hostname/IP from the outside world is really
routing to the place you think it is?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZVrO+AAoJEBzwKT+lPKRYbeoP/AiCGHKWkgWmX3uzs7L1wJua
HKXscjgWmf+1VxPt5k8ZG6rBeRX9io0LQOwIpfBmXQVibkPaP1X/Kyb3kqvpdSz/
R0sHy13DHMRA30DhVlPhvcnLpfHkI0tU/CwmS6YG8VgiA1VReuD4q+CPxFRy+LvZ
vetuK2nG0hRU0yijQx0tsox3g2mTEorn+ysTvTaDhKA6ZDK1ph64RqoWe6jfPmKR
FOfWrDv+JZSwdaOJZXgrV0YB60yxoklcUQYAa+BpAgf0DUOw94v0t0pFHCNStJhK
MTeaRFX6YEAixeJXXkZx9oYk9FIQnVOGH5doc+JTxNjk/Z2kHjohDny7ZYrM9jFD
jTUaiqb1rHVDvSxRMnBbCb32w31J+sBuqj8OmsZu86Xbk0nrQX8445dhqEiKkFAl
MvKWYJbIrLUWBmpFPqkmD7/yc+TfAExpNN2CeVSCle2+jlHiN7pA2AhMlHa31McY
xCMygqy7esewNMULTx0u3GUwhEeyqYWAmtC6fXX1UJcypQIQ/AVHPBpcJiG9q50W
XukLlzak0xTmv+d/sEBl/BEjwCpE67pEISnfp7i/6fuADZ6xtr+qAMiyw/WHTFLb
NeW++I1LvUCsy1Ihq6T3hRQf+5c97HBqSm0mO+p9Rn+QWN80x56KL85C4JTDI9Ls
tTwl6338NrElYKrQVgZk
=Fpm8
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Todd <mi...@gmail.com>.
Christopher Schultz-2 wrote
> Yup: if you use iptables (ipchains hasn't been used in ... decades?)
> to do port-redirection, then you are in fact hitting Tomcat / JVM
> (essentially) directly.
Yes - iptables, sorry brain fart.
Christopher Schultz-2 wrote
> Can you confirm whether or not you are using the OpenSSL provider?
How can I verify my provider?
Christopher Schultz-2 wrote
> What version of OpenSSL are you using? These cipher suites should have
> well-known names and numeric identifiers (which is how the TLS
> handshake works), but it looks like the cipher suite names are somehow
> being confused.
OpenSSL 1.0.2g
Christopher Schultz-2 wrote
> What happens if you narrow your cipher suite list down to a single
> cipher? Does ssllabs report just a single available cipher (even if
> it's not the one you configured)?
>
> - -chris
Whether I put in a single cipher, literal garbage text, or the list that I
want - ssllabs reports the same list of ciphers detected as I posted above.
I also get the same cipher on Chrome that is not in the list I'm putting in
my configuration as well.
--
View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064960.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by lo...@kreuser.name.
Todd
>> Peter Kreuser wrote
>>>
>>> Can you provide a clean configuration that exhibits this behavior?
>>>
>>> What are you using to test the effective configuration?
>>
>> Another question: are you sure that you hit the Connector that you
>> configure? Tomcat should be reasonably configured in defaults with a
>> current JDK...
>>
>> 8443 or the like are not scanned with ssllabs! So it may as well hit an
>> apache on the same machine!
>>
>> Can you show detail on what ssllabs is complaining about?
>>
>> Best regards
>>
>> Peter
>
> Thank you Peter and Chris.
>
> I'm utilizing sslabs to check as well as just going to the site with Chrome
> and looking in developer tools to see the protocol that was selected.
>
> I understand that 8443 is not a normal port, I'm using ipchains to redirect
> traffic from 443 to 8443. I believe that traffic is specifically hitting
> this webserver, as changes such as adding SSL or removing TLS 1.0 in the
> configuration file take immediate effect after restarting the Tomcat
> service.
>
> My current SSLHostConfig looks like this:
>
> <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
> honorCipherOrder="true"
> ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
> <Certificate certificateKeystoreFile="...."
> certificateKeystorePassword="...."
> type="RSA" />
> </SSLHostConfig>
>
> But ssllabs reports the following ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
> None of these ciphers are included in my list, and changes to my cipher list
> has no effect at all on what is displayed by ssllabs.
>
> I'm stuck, so any ideas or guidance is appreciated, thank you!
> -Todd
>
Tomcat 8.5.14
OpenJDK on debian stretch 1.8.0_131
Using your conf I get the following - which is exactly what you ask for:
A- with:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH sect571r1 (eq. 15360 bits RSA) FS 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
These include the numbers Chris is referring to.
- YIKES, do you need 3DES for IE8? Put that last with honorCipherOrder=true then SSLlabs will not punish you in the ranking.
- the cipher list is not optimal - as you are ranked A- with “ The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. “
but we’ll work on that later
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true">
<SSLHostConfig
hostName="logopk.no-ip.com"
honorCipherOrder="true"
certificateVerification="false"
protocols="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
<Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
It would be interesting to get more details on the connector and the underlying java version. We can see your SSL provider in the Connector...
BTW I do a NAT port forwarding from 443 to 8443.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Todd,
On 6/30/17 10:21 AM, Todd wrote:
> Peter Kreuser wrote
>>>
>>> Can you provide a clean configuration that exhibits this
>>> behavior?
>>>
>>> What are you using to test the effective configuration?
>>
>> Another question: are you sure that you hit the Connector that
>> you configure? Tomcat should be reasonably configured in defaults
>> with a current JDK...
>>
>> 8443 or the like are not scanned with ssllabs! So it may as well
>> hit an apache on the same machine!
>>
>> Can you show detail on what ssllabs is complaining about?
>>
>> Best regards
>>
>> Peter
>
> Thank you Peter and Chris.
>
> I'm utilizing sslabs to check as well as just going to the site
> with Chrome and looking in developer tools to see the protocol that
> was selected.
>
> I understand that 8443 is not a normal port, I'm using ipchains to
> redirect traffic from 443 to 8443. I believe that traffic is
> specifically hitting this webserver, as changes such as adding SSL
> or removing TLS 1.0 in the configuration file take immediate effect
> after restarting the Tomcat service.
Yup: if you use iptables (ipchains hasn't been used in ... decades?)
to do port-redirection, then you are in fact hitting Tomcat / JVM
(essentially) directly.
> My current SSLHostConfig looks like this:
>
> <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
> honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> <Certificate
> certificateKeystoreFile="...." certificateKeystorePassword="...."
> type="RSA" /> </SSLHostConfig>
So, with that configuration you should get an NIO connector and, if
libtcnative is nearby, you should get the OpenSSL crypto provider.
> But ssllabs reports the following ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256>
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
> None of these ciphers are included in my list, and changes to my
> cipher list has no effect at all on what is displayed by ssllabs.
>
> I'm stuck, so any ideas or guidance is appreciated, thank you!
Can you confirm whether or not you are using the OpenSSL provider?
What version of OpenSSL are you using? These cipher suites should have
well-known names and numeric identifiers (which is how the TLS
handshake works), but it looks like the cipher suite names are somehow
being confused.
What happens if you narrow your cipher suite list down to a single
cipher? Does ssllabs report just a single available cipher (even if
it's not the one you configured)?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZVoWeAAoJEBzwKT+lPKRYL24P/13G5Ci+ipCnBmB9xJjRePrb
85eXRDWsda/b8bjbqvSL5ISJ/xo7GUdbeWo8alQ91Ms75iI12FXIasPDK7EBoMsc
vhlecYY9ujevNroD0LEcEyiczo+DFh9NFc5nQEbpnNlkzcL8p1IJmpCjXKcPWI1k
XObq5eqPbaSDtQnJ4P0Whu3qNo+PowrGk+vZxsZwBpgtHambkCSDXO4ACkdBBHse
BmL3Acz4InT85UrYBVPkBm5JkoxibJLlY9xoW1UYs/9HoNMDfXsVhV3Ef4g+2DAM
sB7gpEzgfo4CeYh0W7w7PBmKGSQ8LU+x5kMLE6Va6DFYQhFR9yMaFcuGxSPN7W1T
rJcXh0W9li87HHgdfVkYZhnut+i6ScK0l7noZircQHst2iflIpnKQMJid/TBpKt4
UeIXmaFfpFFZRQlytVhITY+6y7IWlVzKSiJu614sYyvxC+C8/NzmX2pSYsMJOK8f
mVyukWgzQOlYPXPwtOhDnHNsrgzJzEZs6pFdcFnNzEJU9HSV/SUiYzdHpq7eYsFG
59MBVRIq65M/8EWiojuM0EoBTwKUf0TvirrLG0SiJVkWBCaRpeJR99hIyPPJFzyZ
e109n4BkG99mnYSLlG5VpU8QLpGS7sKT9V+wMf8o0f2eMNBCXBZkMsjBuo/OaDZQ
cVKn7EwicNBygApz7iJu
=56ql
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Todd <mi...@gmail.com>.
Peter Kreuser wrote
>>
>> Can you provide a clean configuration that exhibits this behavior?
>>
>> What are you using to test the effective configuration?
>
> Another question: are you sure that you hit the Connector that you
> configure? Tomcat should be reasonably configured in defaults with a
> current JDK...
>
> 8443 or the like are not scanned with ssllabs! So it may as well hit an
> apache on the same machine!
>
> Can you show detail on what ssllabs is complaining about?
>
> Best regards
>
> Peter
Thank you Peter and Chris.
I'm utilizing sslabs to check as well as just going to the site with Chrome
and looking in developer tools to see the protocol that was selected.
I understand that 8443 is not a normal port, I'm using ipchains to redirect
traffic from 443 to 8443. I believe that traffic is specifically hitting
this webserver, as changes such as adding SSL or removing TLS 1.0 in the
configuration file take immediate effect after restarting the Tomcat
service.
My current SSLHostConfig looks like this:
<SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
honorCipherOrder="true"
ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
<Certificate certificateKeystoreFile="...."
certificateKeystorePassword="...."
type="RSA" />
</SSLHostConfig>
But ssllabs reports the following ciphers:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
None of these ciphers are included in my list, and changes to my cipher list
has no effect at all on what is displayed by ssllabs.
I'm stuck, so any ideas or guidance is appreciated, thank you!
-Todd
--
View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064952.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored
Posted by Peter Kreuser <lo...@kreuser.name>.
Todd,
Peter Kreuser
Peter Kreuser
> Am 26.06.2017 um 18:56 schrieb Christopher Schultz <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Todd,
>
>> On 6/23/17 2:56 PM, Todd wrote:
>> Thank you Peter - I tried that previously, and just to double check
>> tried it again. No difference at all. a set of ciphers is being
>> presented that do not match to the cipher list that I've included
>> at all.
>>
>> Any other ideas as to what could be overriding this list? As
>> mentioned, some things when edited do take effect, like the
>> protocol selection (I can remove TLS, add SSL, etc.), if I have a
>> syntax error, the server won't start and will give an error, but
>> nothing I put in ciphers seems to work.
>
> Can you provide a clean configuration that exhibits this behavior?
>
> What are you using to test the effective configuration?
Another question: are you sure that you hit the Connector that you configure? Tomcat should be reasonably configured in defaults with a current JDK...
8443 or the like are not scanned with ssllabs! So it may as well hit an apache on the same machine!
Can you show detail on what ssllabs is complaining about?
Best regards
Peter
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8
> pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL
> PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c
> 0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW
> +diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV
> vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5
> XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q
> 0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87
> KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7
> t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx
> L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG
> cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk=
> =WnIS
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Todd,
On 6/23/17 2:56 PM, Todd wrote:
> Thank you Peter - I tried that previously, and just to double check
> tried it again. No difference at all. a set of ciphers is being
> presented that do not match to the cipher list that I've included
> at all.
>
> Any other ideas as to what could be overriding this list? As
> mentioned, some things when edited do take effect, like the
> protocol selection (I can remove TLS, add SSL, etc.), if I have a
> syntax error, the server won't start and will give an error, but
> nothing I put in ciphers seems to work.
Can you provide a clean configuration that exhibits this behavior?
What are you using to test the effective configuration?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllRPNcACgkQHPApP6U8
pFiKXA/9F+2gPydxc19zOIEKnGbyxz/rSL2vzt7Liaxwt/tXQyGxRwmTAQ91NJIL
PKCKLWizMr9GfTvEPD2w4fLGw8QTdlcpMIbUmJh9QFjFThPBCl7IXrMeDYU8P38c
0d8+KGBB/pwCJYoK7m+c0RHAungMRtvtdOrjSfwyP5T2a6AEcoY0tVg5IyFJOypW
+diAioM9u5Jtrj/ZYjTXrc6AZ5FvVX2lcD0tQqIuIsDZHz9WJHEs6LhDNdEGykPV
vN2Y42c9AoGesKRpY7p7ptHnG6igCcbMtfvKls7YYTpP+jc8aIO0tLvnG5IdUmH5
XiqCbUnMkTk+ygjM4fk1Pel/Z4bHPjT8XZ3ZcuMMKBLfnKkjD2G0DesP9b7e355q
0F6wm2vBL8b169RxeS5L4qcW9aLz7PLyo+nWjnhP6+Cgd9DrJzNxQa2M3RYC5L87
KmJ1ImCf5JisXXWLLcK+hxAitD65ndGVzNcet7khJMsoKsk5O/TocQYdRpBNHi+7
t/CefXFWskPmYVEG8ffYJQH8ZU+i02pmaXPagQJIorvaMNEBEebPkRfjzoMGOidx
L+dFde/tRn5gLWlESg7mMfT8y8UsSjw3xUKXmZ8fD/UPUVTOAsu0MpiVBURF4BXG
cXwdtY6Jk0Ox/UN+VziwSQgVNroEDriaoua1Vq8hYjeZOtkMkIk=
=WnIS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by Todd <mi...@gmail.com>.
Todd wrote
>> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to
>> be
>> ignored, regardless of what I put in SSLAbs and validating via browser on
>> my
>> website a set of ciphers is used that I have not listed.
>>
>> I am able to change protocols (for instance, I can remove TLSv1 and the
>> system correctly makes that change), but any changes to ciphers is
>> completely ignored. I've tried adding just one cipher, I've tried
>> OpenSSL
>> and Standard cipher names, I've put in gibberish. All end in the exact
>> same
>> result, no errors in the log and a list of cipher suites that I did not
>> get
>> to pick.
Peter Kreuser wrote
> From looking at your answer on nabble I see that your ciphers are not in
> an xml attribute in the SSLHostConfig-Element, but in the body.
>
> Try
>
> <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
> honorCipherOrder="true"
> ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
>
> <Certificate certificateKeystoreFile="...."
> certificateKeystorePassword="...."
> type="RSA" />
>
> </SSLHostConfig>
> Best regards
>
> Peter
Thank you Peter - I tried that previously, and just to double check tried it
again. No difference at all. a set of ciphers is being presented that do
not match to the cipher list that I've included at all.
Any other ideas as to what could be overriding this list? As mentioned,
some things when edited do take effect, like the protocol selection (I can
remove TLS, add SSL, etc.), if I have a syntax error, the server won't start
and will give an error, but nothing I put in ciphers seems to work.
Thank you
Todd
--
View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064728.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list
ignored
Posted by lo...@kreuser.name.
Todd,
> Am 23.06.2017 um 18:53 schrieb Todd <mincus@gmail.com <ma...@gmail.com>>:
>
> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be
> ignored, regardless of what I put in SSLAbs and validating via browser on my
> website a set of ciphers is used that I have not listed.
>
> I am able to change protocols (for instance, I can remove TLSv1 and the
> system correctly makes that change), but any changes to ciphers is
> completely ignored. I've tried adding just one cipher, I've tried OpenSSL
> and Standard cipher names, I've put in gibberish. All end in the exact same
> result, no errors in the log and a list of cipher suites that I did not get
> to pick.
>
> I've also validated that the ciphers that I want to use are available to
> Java - using 1.8, (
> http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results>
> <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results>
> )
>
> Really appreciate help or direction that anyone can give!
>
> Todd
>
> My relevant config:
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
From looking at your answer on nabble I see that your ciphers are not in an xml attribute in the SSLHostConfig-Element, but in the body.
Try
<SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
honorCipherOrder="true"
ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
<Certificate certificateKeystoreFile="...."
certificateKeystorePassword="...."
type="RSA" />
</SSLHostConfig>
Best regards
Peter