tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From manjesh <manjes...@gmail.com>
Subject Re: tomcat does not choose the higher curve when EC ciphers are configured
Date Tue, 20 Dec 2016 15:22:48 GMT
thanks. I believe as a part of cipher negotiation the server (tomcat)
should do this rather than the provider (JDK/SunJC)

On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> manjesh,
>
> On 12/20/16 6:19 AM, manjesh wrote:
> > Below shown snippet is the ciphersuite configuration. Tomcat
> > version 8.026 and JDK 1.8
> >
> >
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150"  scheme="https" secure="true" SSLEnabled="true"
> > clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2"
> > ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****"
> > keyAlias="selfsigned.tomcat" keystoreType="JKS"
> > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA
> > _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_
> > SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_
> > AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_
> > RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"
> > useServerCipherSuitesOrder="true"  server="APPSERVER"
> > SSLDisableCompression="true"  />
> >
> >
> > Tested with Nmap
> >
> > Check the server for the supported cipher suites.
> >
> > nmap -p 443 --script ssl-enum-ciphers.nse hostname
> >
> > The result shows server supports few ciphers with curves
> > secp160k1,secp192k1, secp224k 1,secp256k1..etc
> >
> > configure Nmap to probe the server with only two curve sizes
> > secp160k1,secp256k1
> >
> > But this time  server  selects cipher supporting secp160k1  but
> > not secp256k1 even though secp256k1 is mutually stronger one than
> > secp160k1
> >
> > How to enforce server to select the  mutually existing higher curve
> > size?
>
> I'm not sure Java allows you to select the specific curve you'd like
> to use -- only the cipher suite, which doesn't specify a curve to use.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV
> u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY
> U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg
> xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV
> CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko
> uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb
> qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU
> ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh
> WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq
> cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K
> x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop
> zHWLPJnMZyYfEyjWdcBh
> =PRwc
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message