tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: AW: TCNative 1.2.8 with openssl 1.1.0
Date Wed, 31 Aug 2016 19:17:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 8/31/16 7:21 AM, Mark Thomas wrote:
> On 31/08/2016 12:18, Kreuser, Peter wrote:
>> 
>> Christopher,
>> 
>>> On 8/30/16 10:18 AM, Kreuser, Peter wrote:
>>> 
>>> On 30/08/2016 10:23, Kreuser, Peter wrote:
>>> 
>>> Hi all,
>>> 
>>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd 
>>> proves that it is linked). I have set the cipher string to the 
>>> newly supported ciphers:
>>> 
>>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E
C
>>>
>>> 
DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
>>> 
>>> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
:DHE
>>>
>>> 
- - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
>>> 
>>> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-R
S
>>>
>>> 
A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
>>> 
>>> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE
- -RSA
>>>
>>> 
- - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
>>> 
>>> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-
G
>>>
>>> 
CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>>> 
>>> HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>>> 
>>> 
>>> However I cannot connect with eg.
>>> ECDHE-ECDSA-CHACHA20-POLY1305. testssl.sh shows only the old
>>> ciphers from the plain openssl 1.0.2.
>>> 
>>> Tomcat Version 8.5.4 Java 1.8.0_102
>>> 
>>> Anything that I'm missing?
>>> 
>>> Without seeing the full Connector config, don't know.
>>> 
>>> Mark
>>> 
>>> Mark, of course I should have done that:
>>> 
>>> <Connector port="8843" 
>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" 
>>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImp
le
>>>
>>> 
mentation"
>>> 
>>> server="Apache Tomcat"
>>> 
>>> allowTrace="false" maxThreads="150" SSLEnabled="true" 
>>> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol 
>>> className="org.apache.coyote.http2.Http2Protocol" />
>>> <SSLHostConfig honorCipherOrder="true"
>>> insecureRenegotiation="false" hostName="xxx.xxx.net"
>>> protocols="TLSv1.1+TLSv1.2" certificateVerification="false"
>>> disableCompression="true" disableSessionTickets="false" 
>>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E
CD
>>>
>>>
>>> 
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25
>>> 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:D
HE-R
>>>
>>> 
SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E
>>> CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:E
CDHE
>>>
>>> 
- - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R
SA
>>> -
>>> -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES2
56-S
>>>
>>> 
HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
>>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES1
28-S
>>>
>>> 
HA:AES256-SHA:DES-CBC3-SHA:!DSS">
>>> 
>>> 
>>> <Certificate
>>> certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
>>> 
>>> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA"
>>> /> </SSLHostConfig> </Connector>
>>> 
>>> 
>>> What client are you using? Hopefully openssl s_client with
>>> 1.1.0 or later. You might want to double-check the client is
>>> capable.
>>> 
>>> - -chris>
>> 
>> testssl.sh is running with an openssl 1.0.2 compiled with
>> CHACHA20-support.
>> 
>> I tried to manually access the website with this version and
>> ECDHE-ECDSA-CHACHA20-POLY1305 without success.
> 
> Don't you need a DSA cert to use that cipher?

Yep. It's used for authentication only -- EDCHE is of course being
used for key exchange.

Nice catch. Peter, this isn't working because this cipher suite can't
be used with your RSA certificate: you'll need a DSA cert.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXxy0vAAoJEBzwKT+lPKRYmFgP/3M8/Lle0Ix7khbZKt991eG2
nOxzLjacdOtkbDfonYfAwQuzQqK55uT3bOFs+zlm8En3E4+4nnmAg3u77AdfN1xT
KyTwHivMhPrH/CJi5glSgyGvu5sfVDe9S2Lc4QBfEzh5Szaugc/pUQEoFtMpo0ZR
9ddcazLdCEJRGucMPWG6ClpVVYMU6g1ZQr0dAOmsuZn7w+rPzMM5gjx3EsCM6jhK
s692+mF4PNe5g3ZGLkEd0apgyevulRKv/zFbiNajRjrHjV6JdQ3T/VusuyC/R0Re
SBwG2DmnPMe8+v491Nvo7q2Z3MqQLqSNvk4kmiXtJKUyAsC6ufMQy61mXA+7PJAR
Rb1tm+szXymtzbnhVjGFv53QkwmiQB5ryOjjtR17e55wHuStGhfrZe64N8hIqM8M
iBJ5rZQS6WY4XMSPWFKwaW8WSXgnyEpVjoEtQcxm+cAImzeLALIydw2SGEC8/wNC
H4YZ4j0mwT02i22YG7+ciPYiyh9CnLryURez5NxKOVC0ePReEtPdu1K+4Zgw+y3/
zIayysLJ+JQ+SUN5ZuTCecjt5y2BxjHfrRwNSAqdyzdLCR4ZfUaRnavGA7FxvwUQ
nJXgYXP0JAqO+pA49oPpVHg1wJbbWxG23EHzBHpw/tMWpbGGHVQReTwv2j0J4UGS
QjqgRBdsQIEJMElKAjkt
=xmOP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message