Re: Windows tcnative openssl ciphers question

Mon, 07 Apr 2014 15:28:25 -0700 

Jeffrey,
EECDH/ECDHE is disabled in tcnative-1.dll. There is already a request to enable it. Take a look at: 

  https://issues.apache.org/bugzilla/show_bug.cgi?id=55915

-Ognjen


On 8.4.2014 0:07, Jeffrey Janner wrote:

Ok, this is a question for the native libs builders (or whoever knows the 
answer).
Environment:  Windows Server 2008 R2, Tomcat 7.0.50 w/APR 1.1.29, Java 1.7.0_51 
 (all 64-bit)
I'm trying to set up a ciphers list that will get me an "A" rating on Qualys' 
SSL testing tool.
I'm using the latest list suggested by MozillaWiki:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

However, when I run the test tool, it reports that the server is only 
supporting the following list:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

Notice, none of the ECDHE-based ciphers are showing up in the list.  This is 
apparently what is keeping me from getting that perfect score, as IE wants 
those ciphers for Forward Security.   It ends up taking one of the lower 
ciphers on the list.
Does anyone know, is there a setting that needs to be made to enable those 
ciphers?  Were they turned off in the dev stage?  Is it related to my 
certificate?
Running the openssl.exe that comes with the APR binary download shows the ECDHE 
ciphers in the list.
Any help appreciated.




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to