tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Restricting ciphers
Date Wed, 09 Jan 2013 23:27:58 GMT

how does one divine EPR change from APR to AJP or NIO based on keystoreType?
if we use curl --key-type <type> Private key file type (DER/PEM/ENG) 
there is NO relationship to EPR implementation because there is no EPR curl is implementing
what does keystoreType  have to do with the choice of EPR ?

explain this algorithm please
Martin 
______________________________________________ 
do not alter this email communication> Date: Wed, 9 Jan 2013 12:22:27 -1000
> From: baron@hawaii.edu
> To: users@tomcat.apache.org
> Subject: Re: Restricting ciphers
> 
> On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote:
> >2013/1/9 Baron Fujimoto <baron@hawaii.edu>:
> >> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
> >> My understanding is that the attack applies only to CBC ciphers, and that
> >> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
> >> ciphers that Tomcat uses with the following config for a connector:
> >>
> >>   <Connector protocol="HTTP/1.1" SSLEnabled="true"
> >>              address="0.0.0.0"
> >>              port="8443"
> >>              maxThreads="150" scheme="https" secure="true"
> >>              keystoreFile="/path/to/keystore"
> >>              keystoreType="pkcs12"
> >>              ciphers="TLS_RSA_WITH_RC4_128_SHA,
> >>                       TLS_RSA_WITH_RC4_128_MD5,
> >>                       SSL_CK_RC4_128_WITH_MD5"
> >>              clientAuth="false" sslProtocol="TLS" />
> >>
> >> However, when I test this by attempting connections with a script[*] that
> >> iterates through the set of ciphers available to openssl, it appears to
> >> successfully connect with the following set of ciphers:
> >>
> >> AES128-SHA
> >> DES-CBC-SHA
> >> DES-CBC3-SHA
> >> DHE-RSA-AES128-SHA
> >> EDH-RSA-DES-CBC-SHA
> >> EDH-RSA-DES-CBC3-SHA
> >> EXP-DES-CBC-SHA
> >> EXP-EDH-RSA-DES-CBC-SHA
> >> EXP-RC4-MD5
> >> EXP-RC4-MD5
> >> RC4-MD5
> >> RC4-MD5
> >> RC4-SHA
> >>
> >> [*] The script basically parses the output of the following command:
> >>     openssl s_client -cipher "$cipher" -connect $SERVER
> >>
> >> Am I misunderstanding the use of the "ciphers" parameter? Or is there
> >> perhaps something in my testing methodology that accounts for these
> >> unexpected results?  Any advice would be appreciated.
> >>
> >
> >As can be seen from your usage of "keystoreType" attribute, you are
> >using Java implementation of the Connector,  not openssl/APR one.
> >
> >You should look into Java documentation for their cipher names.
> >
> >See this thread from October 2009:
> >http://markmail.org/message/zn4namfhypyxum23
> 
> Ahh, that was it! It did not occur to me that OpenSSL and Java might
> name the ciphers differently.  If I restrict the ciphers to those
> from the (differently named) set used by Java, it works as expected.
> Mahalo!
> 
>   ciphers="SSL_RSA_WITH_RC4_128_MD5,
>            SSL_RSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>            TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDH_RSA_WITH_RC4_128_SHA"
> 
> -baron
> -- 
> Baron Fujimoto <baron@hawaii.edu> :: UH Information Technology Services
> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message