tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Disable low grade encryption
Date Wed, 06 Feb 2008 20:09:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Max,

Max Sevenfold wrote:
|               compression="on"
|               compressionMinSize="2048"
|               noCompressionUserAgents="gozilla, traviata"
|
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain"


Try removing this compression stuff while you get your cipher working.

|               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA"
|                            keystoreFile="conf/keystore"

You should definitely use a full path to your keystore.

| JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA

Have you checked that SSLSocket.getEnabledCipherSuites returns this
particular cipher suite? From the javadoc, setting the cipher suite
arbitrarily could fail:

http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[])

For instance, when I run this simple program from my command line:

import java.util.Arrays;
import javax.net.ssl.SSLSocketFactory;

public class CipherSuites
{
~    public static void main(String[] args)
~    {
~        SSLSocketFactory sslsf =
(SSLSocketFactory)SSLSocketFactory.getDefault();
~        String[] ciphers = sslsf.getDefaultCipherSuites();

~        Arrays.sort(ciphers);

~        for(int i=0; i<ciphers.length; ++i)
~            System.out.println(ciphers[i]);
~    }
}

...it emits the following output:

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Since your desired cipher does not appear in the list of ciphers, it is
unavailable and your preferences will be ignored.

You may have a different set of cipher suites available (mine comes from
~ the Linux build of Sun's 1.5.0_13 JRE), but I think you have to pick
something you actually have.

It's also possible that Tomcat comes with additional cipher suites. I
don't know enough about Tomcat to know where those libraries are or how
to configure them such that this small demo program could pick them up.

You could always run this thing in a JSP and see what it gives you. Then
you'll know what your options are for use with Tomcat.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a
XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB
=0eAv
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message