tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: tomcat does not choose the higher curve when EC ciphers are configured
Date Tue, 20 Dec 2016 17:40:06 GMT
On 20/12/2016 15:22, manjesh wrote:
> thanks. I believe as a part of cipher negotiation the server (tomcat)
> should do this rather than the provider (JDK/SunJC)

What is your basis for that believe?

You need to point to the Java documentation that a) states this is the
case and b) describes the API Tomcat should be using to do this.

Mark

> 
> On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
> 
> manjesh,
> 
> On 12/20/16 6:19 AM, manjesh wrote:
>>>> Below shown snippet is the ciphersuite configuration. Tomcat
>>>> version 8.026 and JDK 1.8
>>>>
>>>>
>>>> <Connector port="443"
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>> maxThreads="150"  scheme="https" secure="true" SSLEnabled="true"
>>>> clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2"
>>>> ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****"
>>>> keyAlias="selfsigned.tomcat" keystoreType="JKS"
>>>> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA
>>>> _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_
>>>> SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_
>>>> AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_
>>>> RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"
>>>> useServerCipherSuitesOrder="true"  server="APPSERVER"
>>>> SSLDisableCompression="true"  />
>>>>
>>>>
>>>> Tested with Nmap
>>>>
>>>> Check the server for the supported cipher suites.
>>>>
>>>> nmap -p 443 --script ssl-enum-ciphers.nse hostname
>>>>
>>>> The result shows server supports few ciphers with curves
>>>> secp160k1,secp192k1, secp224k 1,secp256k1..etc
>>>>
>>>> configure Nmap to probe the server with only two curve sizes
>>>> secp160k1,secp256k1
>>>>
>>>> But this time  server  selects cipher supporting secp160k1  but
>>>> not secp256k1 even though secp256k1 is mutually stronger one than
>>>> secp160k1
>>>>
>>>> How to enforce server to select the  mutually existing higher curve
>>>> size?
> 
> I'm not sure Java allows you to select the specific curve you'd like
> to use -- only the cipher suite, which doesn't specify a curve to use.
> 
> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message