> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Tuesday, April 08, 2014 6:27 PM > To: Tomcat Users List > Subject: Re: Windows tcnative openssl ciphers question > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jeffrey, > > On 4/7/14, 4:07 PM, Jeffrey Janner wrote: > > Ok, this is a question for the native libs builders (or whoever knows > > the answer). Environment: Windows Server 2008 R2, Tomcat > > 7.0.50 w/APR 1.1.29, Java 1.7.0_51 (all 64-bit) I'm trying to set up > > a ciphers list that will get me an "A" rating on Qualys' SSL testing > > tool. > > Did you read their guide? Certain factors limit your rating to B no > matter what else happens. Lots of those factors are quite common in > real-world deployments. > I actually managed to earn an A- rating, since I was only missing the ECDHE support to get Forward Secrecy to work on the IE browser family. At least I had one until the Heartbleed bug raised its ugly head. Now I'm back to "F".
> > I'm using the latest list suggested by MozillaWiki: > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA- > AE > > S256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- > SHA25 > > 6:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- > SHA256:ECDHE- > > ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128- > SHA:ECDHE- > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- > SHA:ECDHE > > -ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS- > AES > > 128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256- > SHA > > :AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA- > RC4 > > -SHA:AES128:AES256:RC4- > SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5: > > !PSK > > > > However, when I run the test tool, it reports that the server is > only > > supporting the following list: > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 > > TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA > > TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA > > TLS_RSA_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA > > TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA > > > > Notice, none of the ECDHE-based ciphers are showing up in the list. > > This is apparently what is keeping me from getting that perfect > > score, as IE wants those ciphers for Forward Security. It ends up > > taking one of the lower ciphers on the list. Does anyone know, is > > there a setting that needs to be made to enable those ciphers? > > Were they turned off in the dev stage? Is it related to my > > certificate? Running the openssl.exe that comes with the APR binary > > download shows the ECDHE ciphers in the list. Any help appreciated. > > Did you set-up the Elliptic-curve parameters? If not, you can't use > those ciphers. > Per someone (Mladen?) the capability wasn't enabled at build. Last notice I received is he's addressing that in the next release. Jeff
