tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.
Date Mon, 09 Oct 2017 21:19:45 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/6/17 6:34 PM, James H. H. Lampert wrote:
> On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote:
> 
>> It might help to think of it like this:
>> 
>> There are the ciphers that a JVM supports. The JVM only enables
>> sub-set of the supported ciphers are enabled by default. Tomcat
>> with a default configuration only uses a sub-set of the ciphers 
>> that the JVM enables by default. . . . It looks like you have an
>> incompatible set of ciphers configured.
>> 
>> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA
>> is the least worse option. The Java name for this is: 
>> TLS_RSA_WITH_AES_256_CBC_SHA
> 
> I should have tried this DAYS ago. There is also a Tomcat 7 server 
> installed on the Google Cloud server. With no apparent differences
> in the Java list of available and "enabled-by-default" ciphers
> between the two boxes, it's clear that the biggest single
> difference that I'm actually able to do anything about is which
> Tomcat server is running on 443.
> 
> So with both Tomcat servers shut down, I switched Tomcat 7 over to
> port 443, brought it up, and tried connecting to it from the same
> program as before.
> 
> This time, I got a 404. Not the least bit surprising, since the
> webapp context isn't actually installed on the Tomcat 7 server.
> 
> Incidentally, I also tried running the ssllabs.com test on the
> Tomcat 7 server. The results weren't very meaningful: it only
> listed the ECDHE suites, but then again, it only listed the ECDHE
> suites when I tried it on one of our other Tomcat 7 servers.
> 
>> Tomcat with a default configuration only uses a sub-set of the
>> ciphers that the JVM enables by default.
> 
> So is there a way, short of downloading and recompiling Tomcat
> myself, to control what's in that default subset of a default
> subset?

Nope. You can't change the JVM (well, you CAN but it's not worth it)
and you can't change Tomcat's further-restricted list of cipher
suites. But it's got nearly everything you'd actually want in there,
and it's even got some stuff you might actually NOT want in there,
depending upon your level of paranoia.

> Or failing that, is there a way, in my connector tag, to specify
> "Use TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites
> Tomcat 8.5 uses by default"?

No.

> Or do I need to list all the Tomcat 8.5 defaults in a "ciphers"
> clause, along with the TLS_RSA_WITH_AES_256_CBC_SHA?

You need to list everything.

> Noting that my connector tag is written using Tomcat 7 connector
> syntax, is there a good example of how to code a ciphers clause for
> that tag?

Tomcat 8.5+ and 9.0+ can do it... but nobody has written a
command-line tool around that capability. (I could have sworn such a
tool existed already. I guess I'll write one.)


- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5/AdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh7nA/+Nq5pXhaL9++l2y8b
LSVfaoy5PamsIFvn5paEchot2XfvoE4TXMWb3e5EmVPPk89QLZKn/jMzOukKs/9S
7g4QVtngxEfi9W48poj45abfwMk+Rh2Na4fNIwMLjNFFVYLH1AeuO/hvDk1/Zf0z
mIgqa85OlMuwnpWF3AqWI/KEOi9d9PNOIm2TT8c+lI6WyR99M+FTWtt10Zlv/IFG
7JeSEbKURxkacOlwe6aR7Paa7Wt2LcUldYcAhmYwKJPvHJaYcs1ZdbvPsx2h8j2E
eGBftxjl9+2cx0+5+tkQtl0nAotZmqoX3SsIgeDJWwUdUI/7iLkJMt/d8A1gdGgR
AaCZgW09fn8MpzAaqqOz+FdqpNcldBsiut4o4gv+bUhDQClijvpz/LDKW02eJhEi
6/1U+Eqe5MyXj+zn02Am+z7uoyyU8H1F3QUEN1+OsKH3/AsOCZBwkqeBvig3a8Mb
XXPCOUroDqW4zhvAd8/mk0tuoo2OZ+O3rd/VuZecDU7uuhclvgp7+orhsIwrDL0o
jynVbIm0k2VPHPwDQRAL9scdXc0BGFih8D6tP9JBmIgVHQhHVoqbJkwfo+Zrer/L
cLP7R2iBcg2d2EqYxlMXYmgVf4jnVcGTfn1n2V9Hc6YYhcLIxTF3s37xln2StERB
69veYEnl/qoqo/7IcKp5YrE+kP8=
=w1+P
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message