tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: AW: Outbound SSL?
Date Sat, 01 Jun 2019 00:30:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 5/31/19 18:41, James H. H. Lampert wrote:
> On 5/31/19, 3:34 AM, bernd.schatz@daimler.com wrote:
>> You can run a small java program on your jvm to print out the
>> supported And default protocols. Yet, I didn’t find a better
>> way.
>> 
>> e.g. ==> 
>> https://confluence.atlassian.com/stashkb/list-ciphers-used-by-jvm-679
609085.html
>>
>
>> 
> If I set the same JAVA_HOME as Tomcat was launched under, and
> compile and run "Ciphers.java" from the above site, on the customer
> box, I get:
> 
>> Default Cipher SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SH *
>> SSL_DHE_DSS_WITH_AES_128_CBC_SHA *
>> SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 
>> SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 *
>> SSL_DHE_DSS_WITH_AES_256_CBC_SHA *
>> SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 
>> SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_DES_CBC_SHA 
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_AES_128_CBC_SHA *
>> SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 
>> SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 *
>> SSL_DHE_RSA_WITH_AES_256_CBC_SHA *
>> SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 
>> SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_WITH_AES_128_CBC_SHA 
>> SSL_DH_anon_WITH_AES_128_CBC_SHA256 
>> SSL_DH_anon_WITH_AES_128_GCM_SHA256 
>> SSL_DH_anon_WITH_AES_256_CBC_SHA 
>> SSL_DH_anon_WITH_AES_256_CBC_SHA256 
>> SSL_DH_anon_WITH_AES_256_GCM_SHA384 SSL_DH_anon_WITH_DES_CBC_SHA 
>> *       SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA *
>> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
>> SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 *
>> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA *
>> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
>> SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
>> SSL_ECDHE_ECDSA_WITH_NULL_SHA *
>> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA *
>> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
>> SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 *
>> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA *
>> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
>> SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
>> SSL_ECDHE_RSA_WITH_NULL_SHA *
>> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA *
>> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
>> SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 *
>> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA *
>> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
>> SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 
>> SSL_ECDH_ECDSA_WITH_NULL_SHA *
>> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA *
>> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 
>> SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 *
>> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA *
>> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384 
>> SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_NULL_SHA 
>> SSL_ECDH_anon_WITH_AES_128_CBC_SHA 
>> SSL_ECDH_anon_WITH_AES_256_CBC_SHA SSL_ECDH_anon_WITH_NULL_SHA 
>> SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSL_KRB5_WITH_DES_CBC_MD5 
>> SSL_KRB5_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_RSA_FIPS_WITH_DES_CBC_SHA *
>> SSL_RSA_WITH_AES_128_CBC_SHA *
>> SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 *
>> SSL_RSA_WITH_AES_256_CBC_SHA *
>> SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_RSA_WITH_AES_256_GCM_SHA384 
>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 
>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_NULL_SHA256 *
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Other than the fact that none of those start with TLS_ like all modern
cipher suites do, the above looks okay.

> FOR COMPARISON PURPOSES, what we get on our box is:
>> Default Cipher *       SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA *
>> SSL_DHE_DSS_WITH_AES_128_CBC_SHA *
>> SSL_DHE_DSS_WITH_AES_256_CBC_SHA *
>> SSL_DHE_DSS_WITH_DES_CBC_SHA *
>> SSL_DHE_DSS_WITH_RC4_128_SHA *
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA *
>> SSL_DHE_RSA_WITH_AES_128_CBC_SHA *
>> SSL_DHE_RSA_WITH_AES_256_CBC_SHA *
>> SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 
>> SSL_DH_anon_WITH_AES_128_CBC_SHA 
>> SSL_DH_anon_WITH_AES_256_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA 
>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>> SSL_KRB5_EXPORT_WITH_RC4_40_MD5 SSL_KRB5_EXPORT_WITH_RC4_40_SHA 
>> SSL_KRB5_WITH_3DES_EDE_CBC_MD5 SSL_KRB5_WITH_3DES_EDE_CBC_SHA 
>> SSL_KRB5_WITH_DES_CBC_MD5 SSL_KRB5_WITH_DES_CBC_SHA 
>> SSL_KRB5_WITH_RC4_128_MD5 SSL_KRB5_WITH_RC4_128_SHA *
>> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 *
>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 *
>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA *
>> SSL_RSA_FIPS_WITH_DES_CBC_SHA *
>> SSL_RSA_WITH_3DES_EDE_CBC_SHA *
>> SSL_RSA_WITH_AES_128_CBC_SHA *
>> SSL_RSA_WITH_AES_256_CBC_SHA *       SSL_RSA_WITH_DES_CBC_SHA 
>> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA *
>> SSL_RSA_WITH_RC4_128_MD5 *       SSL_RSA_WITH_RC4_128_SHA

Almost all of the above cipher suites are useless.

Anything starting with SSL_*_DSS uses DSS authentication which is used
by exactly nobody. Same thing with KRB5 -- nobody is being KErberos
for TLS/SSL. Everyone uses either RSA or Elliptic Curve certificates.

Anything containing _anon_, EXPORT, FIPS, RC4, or MD5 should be
eliminated as providing weak or actually-useless security.

Anything containing NULL means that there is no encryption. Duh.

So we are left with this list:

> *       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA *
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA *
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA *
> SSL_DHE_RSA_WITH_DES_CBC_SHA *
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA *
> SSL_RSA_FIPS_WITH_DES_CBC_SHA *
> SSL_RSA_WITH_3DES_EDE_CBC_SHA *       SSL_RSA_WITH_AES_128_CBC_SHA 
> *       SSL_RSA_WITH_AES_256_CBC_SHA *
> SSL_RSA_WITH_DES_CBC_SHA

All of those use SHA1 signatures which are no longer considered
secure. That means that basically none of these cipher suites are
acceptable for a modern security posture.

Here's what we have enabled at $work for production:

Supported Protocol Cipher
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA256
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 Accepted  TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 Accepted  TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 Accepted  TLSv1.1 TLS_RSA_WITH_AES_256_CBC_SHA
 Accepted  TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted  TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 Accepted    TLSv1 TLS_RSA_WITH_AES_256_CBC_SHA
 Accepted    TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 Accepted    TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
 Accepted    TLSv1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

There are some cipher suites in there with _SHA at the end. Those are
in there for ancient browsers that simply can't do modern protocols,
and they are prioritized to the bottom of the list.

But everything else is pretty good IMO.

SSLLabs/Qualys still complains about every one of those except these two
:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

... calling the others "weak". I think that's because they consider
anytning that isn't using ECDHE+GCM to be "weak". Well, it's the best
we can do right now without going up to TLSv1.3.

Anyhow, if the client (or the server) is being run with any decent
kind of TLS configuration, then the second list of supported cipher
suites shown above will simply not be able to connect.

Assuming that you are using the built-in Java JSSE provider, then the
problem is that your Java version is just too old: you need a newer
version of Java to get better cipher suites.

You never said what version(s) of Java you are using. You also didn't
mention whether or not you had installed the "Unlimited Strength
Cipher" patch that you really should install for older versions of
Java. You have to re-install that patch every time you upgrade Java
(until you get to a recent version, where they removed that stupid
cipher strength limitation).

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzxxyoACgkQHPApP6U8
pFhn8Q/9F/9bU3pTFeooxzR6oSCCy2J99jJWPP2gjtItszlA5qdimz8O+/kq9WiX
mOEpmmzj1VvBODIcoaHW/p+nIFKuC2BuStWCrJo4VQ+7bL6ci4O5GkcifZLUKSuI
Z6zAO22ZcbazmFW4spLZzpUVOtrZpYrWDG9Qwij/F8MGnFlUq1P0sTVbXwZ254cQ
hRelsKxQMgd6yUrd4WLgJ81BZe4GPdLt1JjRTeF1j9wGUC++zNjNGsdJ/xYPh+ZN
WbtpvklJ3N9o4F6S1FYr7c0IcQqsdk0cY6MizQyip9OrZBEfyKJ7y7kSfgIWZ8VR
hCP6HHddOqR4mevaUXaCE4PFx8rzuDlroCrTwaiIkGoQkQfEkOWitZ+R8XQvUlt0
d4GKetbP0xokXCLv3akmjCMqtxOgwgv3W2go/GvEwv2pqZMPQ36GxMr9TcHoUSLc
TaZOVvUtc+OaKTijKQGvM4wOBEtK72xtpK7Z993aORx9ZwWCFTuGeaq3PYNX9Hps
H6tvpM/FoMb6mnmDnCvJ+qANKh/T7MCyWCd3KKISmuyH4UPJJlXiqg5ipIXojqYU
xzGV34kuM18F+zmNtBjhCrK9ULNFkxmsyrFXAcdB7f5ezTlwb7RKP/EI6vaeElAp
m48mnUps58dzMkd/Ejd6vWQ7gSr1P++4kBESVXAbybgEqRdlnLc=
=UCiO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message