tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Max Sevenfold <max.seven....@gmail.com>
Subject Re: Disable low grade encryption
Date Wed, 06 Feb 2008 20:31:21 GMT
Chris,

Thank You. I just got solution from colleague. I was going to post it here.

Installing unlimited strength cryptography policy fixed the problem.

Cipher I posted is from Java6.

I think all Tomcats with SSL must be running with such policy now.
May be it is good to post it to tomcats ssl docs.

Thanks All,
Max

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Max,
>
> Max Sevenfold wrote:
> |               compression="on"
> |               compressionMinSize="2048"
> |               noCompressionUserAgents="gozilla, traviata"
> |
> compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain"

>
>
>
> Try removing this compression stuff while you get your cipher working.
>
> |               ciphers="TLS_RSA_WITH_AES_256_CBC_SHA"
> |                            keystoreFile="conf/keystore"
>
> You should definitely use a full path to your keystore.
>
> | JAVA_OPTS="$JAVA_OPTS 
> "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
>
> Have you checked that SSLSocket.getEnabledCipherSuites returns this
> particular cipher suite? From the javadoc, setting the cipher suite
> arbitrarily could fail:
>
> http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[])

>
>
> For instance, when I run this simple program from my command line:
>
> import java.util.Arrays;
> import javax.net.ssl.SSLSocketFactory;
>
> public class CipherSuites
> {
> ~    public static void main(String[] args)
> ~    {
> ~        SSLSocketFactory sslsf =
> (SSLSocketFactory)SSLSocketFactory.getDefault();
> ~        String[] ciphers = sslsf.getDefaultCipherSuites();
>
> ~        Arrays.sort(ciphers);
>
> ~        for(int i=0; i<ciphers.length; ++i)
> ~            System.out.println(ciphers[i]);
> ~    }
> }
>
> ...it emits the following output:
>
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> SSL_DHE_DSS_WITH_DES_CBC_SHA
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> SSL_DHE_RSA_WITH_DES_CBC_SHA
> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
> SSL_RSA_EXPORT_WITH_RC4_40_MD5
> SSL_RSA_WITH_3DES_EDE_CBC_SHA
> SSL_RSA_WITH_DES_CBC_SHA
> SSL_RSA_WITH_RC4_128_MD5
> SSL_RSA_WITH_RC4_128_SHA
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_RSA_WITH_AES_128_CBC_SHA
>
> Since your desired cipher does not appear in the list of ciphers, it is
> unavailable and your preferences will be ignored.
>
> You may have a different set of cipher suites available (mine comes from
> ~ the Linux build of Sun's 1.5.0_13 JRE), but I think you have to pick
> something you actually have.
>
> It's also possible that Tomcat comes with additional cipher suites. I
> don't know enough about Tomcat to know where those libraries are or how
> to configure them such that this small demo program could pick them up.
>
> You could always run this thing in a JSP and see what it gives you. Then
> you'll know what your options are for use with Tomcat.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a
> XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB
> =0eAv
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message