You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Román Valoria <ro...@gmail.com> on 2016/09/21 10:18:20 UTC
Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Dear all:
I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
I have managed to make it work with update 121 in using the SSL protocol
TLS 1.2.
Now I need to exert some control over the cipher suites used on that
protocol.
I am unable to come up with the list of supported cipher suite names to use.
Both JRE and JDK are in:
https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=9553040
I am using both the Java 6 and 7 documentation to come up with the cipher
suite names:
Java Cryptography Architecture Sun ProvidersDocumentation
<http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html>
Java PKCS#11 Reference Guide
<http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG>
Standard Algorithm Name Documentation
<http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher>
Java Cryptography Architecture Oracle ProvidersDocumentation
<http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
As per the above I even tried downloading the Java Cryptography Extension
for Java 6 from:
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
Files 6
<http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-6-download-429243.html>
But that is for 32-bit and failed anyway.
Am I missing something?
Thanks and regards.
Re: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by Harrie Robins <ha...@eyequestion.nl>.
Please see: https://community.qualys.com/thread/11882
Disable the weak ciphers.
The Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy is needed when you want to run AES256 (you want this).
Regards,
Harrie
On 21 September 2016 at 12:18, Román Valoria <ro...@gmail.com> wrote:
> Dear all:
>
> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
>
> I have managed to make it work with update 121 in using the SSL protocol
> TLS 1.2.
>
> Now I need to exert some control over the cipher suites used on that
> protocol.
>
> I am unable to come up with the list of supported cipher suite names to
> use.
>
> Both JRE and JDK are in:
>
> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
> 9553040
>
> I am using both the Java 6 and 7 documentation to come up with the cipher
> suite names:
>
> Java Cryptography Architecture Sun ProvidersDocumentation
> <http://docs.oracle.com/javase/6/docs/technotes/
> guides/security/SunProviders.html>
>
>
> Java PKCS#11 Reference Guide
> <http://docs.oracle.com/javase/6/docs/technotes/
> guides/security/p11guide.html#ALG>
>
>
> Standard Algorithm Name Documentation
> <http://docs.oracle.com/javase/7/docs/technotes/
> guides/security/StandardNames.html#Cipher>
>
>
> Java Cryptography Architecture Oracle ProvidersDocumentation
> <http://docs.oracle.com/javase/7/docs/technotes/
> guides/security/SunProviders.html#SunJSSEProvider>
>
>
> As per the above I even tried downloading the Java Cryptography Extension
> for Java 6 from:
>
> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
> Files 6
> <http://www.oracle.com/technetwork/java/embedded/
> embedded-se/downloads/jce-6-download-429243.html>
>
>
> But that is for 32-bit and failed anyway.
>
> Am I missing something?
>
> Thanks and regards.
>
AW: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by "Kreuser, Peter" <pk...@airplus.com>.
Roman,
> On 21/09/2016 11:22, Román Valoria wrote:
> > Before anyone tells me, I cannot upgrade either Tomcat or Java to the
> > latest major release.
> >
> > My setup is running on Windows Server 2008 R2 64-bit OS.
>
> What configuration have you tried?
>
> How do you know it didn't work?
>
> Mark
>
> >
> > On Wed, Sep 21, 2016 at 6:18 PM, Román Valoria <ro...@gmail.com>
> > wrote:
> >
> >> Dear all:
> >>
> >> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
> >>
> >> I have managed to make it work with update 121 in using the SSL protocol
> >> TLS 1.2.
> >>
> >> Now I need to exert some control over the cipher suites used on that
> >> protocol.
> >>
> >> I am unable to come up with the list of supported cipher suite names to
> >> use.
> >>
> >> Both JRE and JDK are in:
> >>
> >> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
> >> 9553040
> >>
> >> I am using both the Java 6 and 7 documentation to come up with the cipher
> >> suite names:
> >>
> >> Java Cryptography Architecture Sun ProvidersDocumentation
> >> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html>
> >>
> >>
> >> Java PKCS#11 Reference Guide
> >> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG>
> >>
> >>
> >> Standard Algorithm Name Documentation
> >> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher>
> >>
> >>
> >> Java Cryptography Architecture Oracle ProvidersDocumentation
> >> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
> >>
> >>
> >> As per the above I even tried downloading the Java Cryptography Extension
> >> for Java 6 from:
> >>
> >> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
> >> Files 6
> >> <http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-6-download-429243.html>
> >>
> >>
> >> But that is for 32-bit and failed anyway.
> >>
> >> Am I missing something?
> >>
> >> Thanks and regards.
> >>
> >
>
I have had good experiences with SSLInfo.java (https://gist.github.com/MikeN123/8810553). That will provide you with the possible Ciphers in you JRE.
Converting a good openssl cipher string to Java syntax can be found on http://blog.bitmelt.com/2013/11/tomcat-ssl-hardening.html
Given Java6, you will not have many working options. Most browsers will limit usage of old ciphers. Plus you lose TLS 1.1/1.2.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by "Kreuser, Peter" <pk...@airplus.com>.
Roman,
>I know it did not worked because as soon as I add the ciphers entry to the
>SSL HTTPS connector in the server.xml file, it tells me that value is not
>supported.
>
>On Wed, Sep 21, 2016 at 6:45 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 21/09/2016 11:22, Román Valoria wrote:
>> > Before anyone tells me, I cannot upgrade either Tomcat or Java to the
>> > latest major release.
>> >
>> > My setup is running on Windows Server 2008 R2 64-bit OS.
>>
>> What configuration have you tried?
>>
>> How do you know it didn't work?
>>
>> Mark
>>
>> >
>> > On Wed, Sep 21, 2016 at 6:18 PM, Román Valoria <ro...@gmail.com>
>> > wrote:
>> >
>> >> Dear all:
>> >>
>> >> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
>> >>
>> >> I have managed to make it work with update 121 in using the SSL protocol
>> >> TLS 1.2.
>> >>
>> >> Now I need to exert some control over the cipher suites used on that
>> >> protocol.
>> >>
>> >> I am unable to come up with the list of supported cipher suite names to
>> >> use.
>> >>
>> >> Both JRE and JDK are in:
>> >>
>> >> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
>> >> 9553040
>> >>
>> >> I am using both the Java 6 and 7 documentation to come up with the
>> cipher
>> >> suite names:
>> >>
>> >> Java Cryptography Architecture Sun ProvidersDocumentation
>> >> <http://docs.oracle.com/javase/6/docs/technotes/
>> guides/security/SunProviders.html>
>> >>
>> >>
>> >> Java PKCS#11 Reference Guide
>> >> <http://docs.oracle.com/javase/6/docs/technotes/
>> guides/security/p11guide.html#ALG>
>> >>
>> >>
>> >> Standard Algorithm Name Documentation
>> >> <http://docs.oracle.com/javase/7/docs/technotes/
>> guides/security/StandardNames.html#Cipher>
>> >>
>> >>
>> >> Java Cryptography Architecture Oracle ProvidersDocumentation
>> >> <http://docs.oracle.com/javase/7/docs/technotes/
>> guides/security/SunProviders.html#SunJSSEProvider>
>> >>
>> >>
>> >> As per the above I even tried downloading the Java Cryptography
>> Extension
>> >> for Java 6 from:
>> >>
>> >> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
>> >> Files 6
>> >> <http://www.oracle.com/technetwork/java/embedded/
>> embedded-se/downloads/jce-6-download-429243.html>
>> >>
>> >>
>> >> But that is for 32-bit and failed anyway.
>> >>
>> >> Am I missing something?
>> >>
>> >> Thanks and regards.
>> >>
>> >
Would you mind to share your connector configuration and the ciphers you chose?
Peter
Re: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by Román Valoria <ro...@gmail.com>.
I know it did not worked because as soon as I add the ciphers entry to the
SSL HTTPS connector in the server.xml file, it tells me that value is not
supported.
On Wed, Sep 21, 2016 at 6:45 PM, Mark Thomas <ma...@apache.org> wrote:
> On 21/09/2016 11:22, Román Valoria wrote:
> > Before anyone tells me, I cannot upgrade either Tomcat or Java to the
> > latest major release.
> >
> > My setup is running on Windows Server 2008 R2 64-bit OS.
>
> What configuration have you tried?
>
> How do you know it didn't work?
>
> Mark
>
> >
> > On Wed, Sep 21, 2016 at 6:18 PM, Román Valoria <ro...@gmail.com>
> > wrote:
> >
> >> Dear all:
> >>
> >> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
> >>
> >> I have managed to make it work with update 121 in using the SSL protocol
> >> TLS 1.2.
> >>
> >> Now I need to exert some control over the cipher suites used on that
> >> protocol.
> >>
> >> I am unable to come up with the list of supported cipher suite names to
> >> use.
> >>
> >> Both JRE and JDK are in:
> >>
> >> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
> >> 9553040
> >>
> >> I am using both the Java 6 and 7 documentation to come up with the
> cipher
> >> suite names:
> >>
> >> Java Cryptography Architecture Sun ProvidersDocumentation
> >> <http://docs.oracle.com/javase/6/docs/technotes/
> guides/security/SunProviders.html>
> >>
> >>
> >> Java PKCS#11 Reference Guide
> >> <http://docs.oracle.com/javase/6/docs/technotes/
> guides/security/p11guide.html#ALG>
> >>
> >>
> >> Standard Algorithm Name Documentation
> >> <http://docs.oracle.com/javase/7/docs/technotes/
> guides/security/StandardNames.html#Cipher>
> >>
> >>
> >> Java Cryptography Architecture Oracle ProvidersDocumentation
> >> <http://docs.oracle.com/javase/7/docs/technotes/
> guides/security/SunProviders.html#SunJSSEProvider>
> >>
> >>
> >> As per the above I even tried downloading the Java Cryptography
> Extension
> >> for Java 6 from:
> >>
> >> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
> >> Files 6
> >> <http://www.oracle.com/technetwork/java/embedded/
> embedded-se/downloads/jce-6-download-429243.html>
> >>
> >>
> >> But that is for 32-bit and failed anyway.
> >>
> >> Am I missing something?
> >>
> >> Thanks and regards.
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by Mark Thomas <ma...@apache.org>.
On 21/09/2016 11:22, Rom�n Valoria wrote:
> Before anyone tells me, I cannot upgrade either Tomcat or Java to the
> latest major release.
>
> My setup is running on Windows Server 2008 R2 64-bit OS.
What configuration have you tried?
How do you know it didn't work?
Mark
>
> On Wed, Sep 21, 2016 at 6:18 PM, Rom�n Valoria <ro...@gmail.com>
> wrote:
>
>> Dear all:
>>
>> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
>>
>> I have managed to make it work with update 121 in using the SSL protocol
>> TLS 1.2.
>>
>> Now I need to exert some control over the cipher suites used on that
>> protocol.
>>
>> I am unable to come up with the list of supported cipher suite names to
>> use.
>>
>> Both JRE and JDK are in:
>>
>> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
>> 9553040
>>
>> I am using both the Java 6 and 7 documentation to come up with the cipher
>> suite names:
>>
>> Java Cryptography Architecture Sun ProvidersDocumentation
>> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html>
>>
>>
>> Java PKCS#11 Reference Guide
>> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG>
>>
>>
>> Standard Algorithm Name Documentation
>> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher>
>>
>>
>> Java Cryptography Architecture Oracle ProvidersDocumentation
>> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
>>
>>
>> As per the above I even tried downloading the Java Cryptography Extension
>> for Java 6 from:
>>
>> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
>> Files 6
>> <http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-6-download-429243.html>
>>
>>
>> But that is for 32-bit and failed anyway.
>>
>> Am I missing something?
>>
>> Thanks and regards.
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 7.0.65 + Java 6 Update 121 64-bit - Cipher Suite Names
Posted by Román Valoria <ro...@gmail.com>.
Before anyone tells me, I cannot upgrade either Tomcat or Java to the
latest major release.
My setup is running on Windows Server 2008 R2 64-bit OS.
On Wed, Sep 21, 2016 at 6:18 PM, Román Valoria <ro...@gmail.com>
wrote:
> Dear all:
>
> I need to configure Tomcat 7.0.65 with Java 6, both 64-bit.
>
> I have managed to make it work with update 121 in using the SSL protocol
> TLS 1.2.
>
> Now I need to exert some control over the cipher suites used on that
> protocol.
>
> I am unable to come up with the list of supported cipher suite names to
> use.
>
> Both JRE and JDK are in:
>
> https://support.oracle.com/epmos/faces/PatchResultsNDetails?patchId=
> 9553040
>
> I am using both the Java 6 and 7 documentation to come up with the cipher
> suite names:
>
> Java Cryptography Architecture Sun ProvidersDocumentation
> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html>
>
>
> Java PKCS#11 Reference Guide
> <http://docs.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html#ALG>
>
>
> Standard Algorithm Name Documentation
> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Cipher>
>
>
> Java Cryptography Architecture Oracle ProvidersDocumentation
> <http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
>
>
> As per the above I even tried downloading the Java Cryptography Extension
> for Java 6 from:
>
> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy
> Files 6
> <http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-6-download-429243.html>
>
>
> But that is for 32-bit and failed anyway.
>
> Am I missing something?
>
> Thanks and regards.
>