tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: tomcat does not choose the higher curve when EC ciphers are configured
Date Tue, 20 Dec 2016 15:19:13 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

manjesh,

On 12/20/16 6:19 AM, manjesh wrote:
> Below shown snippet is the ciphersuite configuration. Tomcat
> version 8.026 and JDK 1.8
> 
> 
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="150"  scheme="https" secure="true" SSLEnabled="true" 
> clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2"
> ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****" 
> keyAlias="selfsigned.tomcat" keystoreType="JKS" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA 
> _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ 
> SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ 
> AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ 
> RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" 
> useServerCipherSuitesOrder="true"  server="APPSERVER" 
> SSLDisableCompression="true"  />
> 
> 
> Tested with Nmap
> 
> Check the server for the supported cipher suites.
> 
> nmap -p 443 --script ssl-enum-ciphers.nse hostname
> 
> The result shows server supports few ciphers with curves 
> secp160k1,secp192k1, secp224k 1,secp256k1..etc
> 
> configure Nmap to probe the server with only two curve sizes 
> secp160k1,secp256k1
> 
> But this time  server  selects cipher supporting secp160k1  but
> not secp256k1 even though secp256k1 is mutually stronger one than
> secp160k1
> 
> How to enforce server to select the  mutually existing higher curve
> size?

I'm not sure Java allows you to select the specific curve you'd like
to use -- only the cipher suite, which doesn't specify a curve to use.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV
u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY
U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg
xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV
CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko
uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb
qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU
ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh
WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq
cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K
x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop
zHWLPJnMZyYfEyjWdcBh
=PRwc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message