tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <jonmcalexan...@wellsfargo.com.INVALID>
Subject RE: Connector works fine with Firefox, but not on speaking terms with Chrome!
Date Wed, 05 Aug 2020 21:09:50 GMT
Good job with those tests and good luck with the real site!


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexander@wellsfargo.com


This message may contain confidential and/or privileged information. If you are not the addressee
or authorized to receive this for the addressee, you must not use, copy, disclose, or take
any action based on this message or any information herein. If you have received this message
in error, please advise the sender immediately by reply e-mail and delete this message. Thank
you for your cooperation.


-----Original Message-----
From: James H. H. Lampert <jamesl@touchtonecorp.com> 
Sent: Wednesday, August 5, 2020 3:39 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Connector works fine with Firefox, but not on speaking terms with Chrome!

Jon Mcalexander wrote:

> Most likely then you need to find a cypher list that is valid for TLSv1.2. Such as below:
> 
> ACCEPTABLE
> 
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CBC_SHA256
> TLS_RSA_WITH_AES_128_CBC_SHA256
> 
> IDEAL
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_GCM_SHA256

I came up with a couple of things to try, while I was at lunch.

First, I did a quick SSLLabs scan on the server. That told me that "sslEnabledProtocols" in
an SSLHostConfig was indeed wrong. And it told me that all simulated Chrome handshakes failed,
but most other simulated handshakes were fine.

Then (directly violating the "change only one variable at a time" 
principle) I set it back to "protocols," *and* cut out the cipher list entirely.

That worked just fine.

The weird part is that so far as I can tell, the cipher list looks
*exactly* like the cipher list in the original Java Keystore version of the connector

I compared the cipher lists given in the SSLLabs reports for three
cases: the new connector with the old cipher list, the new connector with no cipher list at
all, and (using the live version of the server) the old connector with the old cipher list,
and the results were remarkable:

test, no cipher list
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)   WEAK	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)   WEAK	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	128
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)   WEAK	128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)   WEAK	128
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS	128
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)	128
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)	128
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)   WEAK	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)   WEAK	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)   WEAK	256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)   WEAK	256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS	256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)	256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)	256


test, with old cipher list
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)   WEAK	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)   WEAK	128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	128
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)   WEAK	128
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)   WEAK	128
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)   WEAK	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)   WEAK	256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)   WEAK	256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)   WEAK	256


original connector, with old cipher list
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 
bits RSA)   FS   WEAK	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 
bits RSA)   FS   WEAK	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp521r1 (eq. 
15360 bits RSA)   FS   WEAK	256

The test with no cipher list produced (I think) five matches with your "acceptable" list,
two of which were also on your "ideal" list.

The test with the old cipher list on the new connector produced only 12 of the 18 on the "no
cipher list" test, none of which were on either of your lists.

And the original connector produced what appears to be a completely different list in the
report, with nothing in common with the other two, or with your lists, and yet it is TLS 1.2-only,
and it seems to get along just fine with Chrome.

This is very weird. But at least we have the test working. The next step is to see if we can
get the real site working.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message