-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/7/14, 4:07 PM, Jeffrey Janner wrote: > Ok, this is a question for the native libs builders (or whoever > knows the answer). Environment: Windows Server 2008 R2, Tomcat > 7.0.50 w/APR 1.1.29, Java 1.7.0_51 (all 64-bit) I'm trying to set > up a ciphers list that will get me an "A" rating on Qualys' SSL > testing tool. Did you read their guide? Certain factors limit your rating to B no matter what else happens. Lots of those factors are quite common in real-world deployments. > I'm using the latest list suggested by MozillaWiki: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK > > However, when I run the test tool, it reports that the server is > only supporting the following list: > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 > TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA > TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA > > Notice, none of the ECDHE-based ciphers are showing up in the list. > This is apparently what is keeping me from getting that perfect > score, as IE wants those ciphers for Forward Security. It ends up > taking one of the lower ciphers on the list. Does anyone know, is > there a setting that needs to be made to enable those ciphers? > Were they turned off in the dev stage? Is it related to my > certificate? Running the openssl.exe that comes with the APR binary > download shows the ECDHE ciphers in the list. Any help > appreciated. Did you set-up the Elliptic-curve parameters? If not, you can't use those ciphers. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRIWzAAoJEBzwKT+lPKRYsWkQAIscikdYUe69O+hsv1DF6XWA ics6yqljr7FVcL/6rmG5EXc1KG9e8SWgm+q8R5ol2TNLp1TTQ9CUHhteqNXsQua6 km+r9EimP/stC1SKwUC/idA85FJv+UOC1hxb8G9z3Rvy58ZEJ6JlVVO5qMs4iXVs 4vABiBKK89wKXG4Okx7Hv/DfTJnw/g4lTwvxycX3qx+F3ftSYyjsS/kRXY+M5jYM y2UunmzqQo8EO7zhUqesh/wgTMaCCC1IdmB7giCip9DrYIPgAL4Aa6TXH4sZpkQ3 6v6HfRMQHi0XiY0KMV2GL6P4VD4e3dtsiOrd9zWKSHdEQF6swKIiE6oZUyUGj4gI iDu1JheqDNbEBiOxI1NopFWJ4TCnuVlc/mjefzyjhVxUhjrUEqcnneQUo0vOzqKb cIv/S+YRbwHSFTXQZ/I9xMkrBsAy5jkIM0g1CIL8vm5Eq8WLM9EdR59kD047jNDu pu9FYVTasodp/0lgmDZ493NEEdpSmhsrj924BhsjmsIO0/+/6kSvgC63pBmosIkQ tsgOvoh6D4jDBD0BbwIH94XiI8X0rwDW9UsDKEy/sIY+yw1c1Rt/9cBeDT6dvTHU LHmaLX09j8C0dR25c7wFc7DnN3SJjbxuAea2RojVBCOJxNV8qYhVvyfkzja8okPo p2EyaFpoD9bgkt1BLTCh =+oS7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
