tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Changing Tomcat's SSL ciphers
Date Mon, 02 Mar 2015 22:55:09 GMT
2015-03-03 1:45 GMT+03:00 Eric <campee@gmail.com>:
> I am trying to change the ciphers that my Tomcat 7 server supports. I am
> using the APR connector. Here's the connector information in server.xml
> with the line saying which ciphers to support:
>
>     <Connector port="8443" executor="edgeExecutor" maxHttpHeaderSize="32768"
>                enableLookups="false" disableUploadTimeout="true"
>                connectionTimeout="3000"
>                socketBuffer="122880"
>                maxKeepAliveRequests="1"
>                scheme="https" secure="true"
>                SSLProtocol="TLSv1"
>                SSLEnabled="true"
>                SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt"
>                SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key"
>                SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" />
>                SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"

"/>" closes the tag.

Your  "SSLCipherSuite" is not an attribute, but a plain text that
follows the tag.

The above also misses the "protocol" attribute. If you are using APR
connector you would better select it explicitly instead of relying on
autodetection.   If autodetection fails you may end up with plain HTTP
on that port.

> I shut down and started Tomcat back up.
>
> When I scan this server using NMAP and a script that enumerates all of the
> SSL ciphers, I get this result:
>
> $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com
>
> Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST
> Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX)
> Host is up (0.019s latency).
> rDNS record for X.XX.XX.XX: d.mydomain.com
> PORT    STATE SERVICE
> 443/tcp open  https
> | ssl-enum-ciphers:
> |   SSLv3: No supported ciphers found
> |   TLSv1.0:
> |     ciphers:
> |       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
> |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
> |       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
> |       TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken
> |       TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken
> |       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken
> |       TLS_DH_anon_WITH_AES_128_CBC_SHA - broken
> |       TLS_DH_anon_WITH_AES_256_CBC_SHA - broken
> |       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken
> |       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken
> |       TLS_DH_anon_WITH_DES_CBC_SHA - broken
> |       TLS_DH_anon_WITH_RC4_128_MD5 - broken
> |       TLS_DH_anon_WITH_SEED_CBC_SHA - broken
> |       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
> |       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
> |       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
> |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
> |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
> |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
> |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
> |       TLS_RSA_WITH_DES_CBC_SHA - weak
> |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
> |       TLS_RSA_WITH_RC4_128_MD5 - strong
> |       TLS_RSA_WITH_RC4_128_SHA - strong
> |       TLS_RSA_WITH_SEED_CBC_SHA - strong
> |     compressors:
> |       NULL
> |_  least strength: broken
>
> Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds
>
> Why it is still supporting all of those other ciphers? I only told it to
> support one. Am I doing something wrong?
>
> OS/version information:
>
>     CentOS release 6.5 (Final)
>     apr-1.3.9-5.el6_2.x86_64
>     apr-devel-1.3.9-5.el6_2.x86_64
>     apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of
> Tomcat, could it be that an option was turned off that prevents changing
> the SSL cipher? How would I check?)


7.0.32?

http://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5
http://tomcat.apache.org/security-7.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message