Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
all the TLS/SSL directly to the real host to handle.
On Thu, May 10, 2018 at 11:23:44PM +0000, Scott Hoenigman wrote:
> Are you using a load balancer?
>
>
>
>Sent from my T-Mobile 4G LTE Device
>
>
>-------- Original message --------
>From: David Wall <d.wall@computer.org>
>Date: 5/10/18 6:15 PM (GMT-06:00)
>To: users@tomcat.apache.org
>Subject: Re: configuring ciphers for SSL Labs server test
>
>We're doing good with this:
>
> <SSLHostConfig certificateVerification="none"
>protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
> >
>
>
>On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>> Tomcat configuraton. Currently, their report caps our grade at B because,
>> "This server does not support Authenticated encryption (AEAD) cipher
>> suites". They report that we support the following cipher suites:
>>
>> # TLS 1.2
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> # TLS 1.1
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>
>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>> Extension (JCE) properly installed. I have the following connector
>> defined (this version explicitly lists ciphers I think should satisfy the
>> AEAD cipher requirement[2]):
>>
>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>> address="0.0.0.0"
>> port="8443"
>> maxThreads="500"
>> maxPostSize="100000"
>> scheme="https" secure="true"
>> defaultSSLHostConfigName="foo.example.edu"
>> SSLEnabled="true" >
>> <SSLHostConfig hostName="foo.example.edu"
>> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>> certificateVerification="none"
>> honorCipherOrder="true"
>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
>> <Certificate certificateKeystoreType="pkcs12"
>> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore"
>
>> </Certificate>
>> </SSLHostConfig>
>> </Connector>
>>
>> I've mapped the cipher suite names using the OpenSSL cipher suite name
>> list[3]. I originally started with
>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
>> result, so subsequently tried adding the specific ciphers shown above. The
>> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
>> names may be used[4].
>>
>> Any suggestions on what I may be doing wrong or for further troubleshooting?
>>
>> References:
>> [1] <https://www.ssllabs.com/ssltest/analyze.html>
>> [2] <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
>> [3] <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
>> [4] <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Baron Fujimoto <baron@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|