tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: configuring ciphers for SSL Labs server test
Date Fri, 11 May 2018 06:39:25 GMT
On 11/05/18 03:35, Baron Fujimoto wrote:
> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
> all the TLS/SSL directly to the real host to handle.

You don't say which Tomcat version is being used. I assume one of the
8.5.x versions since the 8.5.x docs are referenced.

8.5.x should get an A from SSLLabs with the default configuration:
https://wiki.apache.org/tomcat/Security/Ciphers

I recently updated that page but 8.5.x was getting a A two years ago as
well.

Are you sure Java 8 is being used?

Mark


> 
> On Thu, May 10, 2018 at 11:23:44PM +0000, Scott Hoenigman wrote:
>> Are you using a load balancer?
>>
>>
>>
>> Sent from my T-Mobile 4G LTE Device
>>
>>
>> -------- Original message --------
>> From: David Wall <d.wall@computer.org>
>> Date: 5/10/18 6:15 PM (GMT-06:00)
>> To: users@tomcat.apache.org
>> Subject: Re: configuring ciphers for SSL Labs server test
>>
>> We're doing good with this:
>>
>>         <SSLHostConfig certificateVerification="none"
>> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>>         >
>>
>>
>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>> "This server does not support Authenticated encryption (AEAD) cipher
>>> suites". They report that we support the following cipher suites:
>>>
>>> # TLS 1.2
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> # TLS 1.1
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>
>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>> Extension (JCE) properly installed. I have the following connector
>>> defined (this version explicitly lists ciphers I think should satisfy the
>>> AEAD cipher requirement[2]):
>>>
>>>      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>                 address="0.0.0.0"
>>>                 port="8443"
>>>                 maxThreads="500"
>>>                 maxPostSize="100000"
>>>                 scheme="https" secure="true"
>>>                 defaultSSLHostConfigName="foo.example.edu"
>>>                 SSLEnabled="true" >
>>>          <SSLHostConfig hostName="foo.example.edu"
>>>                         protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>>                         certificateVerification="none"
>>>                         honorCipherOrder="true"
>>>                         ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>                                 :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>                                 :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>                                 :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>                                 :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>                                 :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>                                 :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>                                 :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>                                 :!TLS_RSA_WITH_AES_128_CBC_SHA
>>>                                 :!TLS_RSA_WITH_AES_256_CBC_SHA
>>>                                 :!TLS_RSA_WITH_AES_128_CBC_SHA256
>>>                                 :!TLS_RSA_WITH_AES_256_CBC_SHA256
>>>                                 :!TLS_RSA_WITH_AES_128_GCM_SHA256
>>>                                 :!TLS_RSA_WITH_AES_256_GCM_SHA384
>>>                                 :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>                                 :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>                                 :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>>                                 :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
>>>                                 :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>>>                                 :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>>>                                 :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>>>                                 :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>>                                 :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>                                 :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>                                 :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>                                 :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>                                 :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>                                 :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>                                 :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>                                 :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>                                 :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>                                 :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>                                 :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>                                 :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
>>>              <Certificate certificateKeystoreType="pkcs12"
>>>                           certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore"
>
>>>              </Certificate>
>>>          </SSLHostConfig>
>>>      </Connector>
>>>
>>> I've mapped the cipher suite names using the OpenSSL cipher suite name
>>> list[3]. I originally started with
>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
>>> result, so subsequently tried adding the specific ciphers shown above. The
>>> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
>>> names may be used[4].
>>>
>>> Any suggestions on what I may be doing wrong or for further troubleshooting?
>>>
>>> References:
>>> [1] <https://www.ssllabs.com/ssltest/analyze.html>
>>> [2] <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
>>> [3] <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
>>> [4] <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message