Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

Wed, 15 Apr 2015 10:36:17 -0700 

On 4/15/2015 1:17 PM, Jason Jesso wrote:

I am using Java 1.6 on AIX plaform.

/usr/java6/bin/java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 
jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
J9VM - 20131231_180656
JIT  - r9_20130920_46510ifx3
GC   - GA24_Java6_SR15_20131231_1152_B180656)
JCL  - 20140107_01

You think this is the issue?
There's a chance of it, but I don't know how IBM's java versions compare to Oracle's. There were quite a few things that changed in late versions of Java 6 and 7 w.r.t. encryption.
What exact version of java 7 do you have? IMS, you need a late number (45, maybe?). 




________________________________________
From: David kerber [dcker...@verizon.net]
Sent: Wednesday, April 15, 2015 12:26 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

On 4/15/2015 12:05 PM, Jason Jesso wrote:

I have Tomcat 6.0.41 connector set-up with:


SSLProtocol="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,
           TLS_RSA_WITH_AES_128_CBC_SHA,
           TLS_RSA_WITH_AES_256_CBC_SHA256,
           TLS_RSA_WITH_AES_256_CBC_SHA"


We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".


I also test my server using openssl like:


openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null

SSL-Session:
      Protocol  : TLSv1
      Cipher    : EXP-EDH-RSA-DES-CBC-SHA
      Session-ID: 
552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
      Session-ID-ctx:
      Master-Key: 
28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      SRP username: None
      Start Time: 1429113767
      Timeout   : 300 (sec)
      Verify return code: 19 (self signed certificate in certificate chain)


It still connects with the EXPORT cipher.  I do not know why, since I thought the ciphers 
I specify in the "ciphers" variable is good.



This is my Tomcat start-up:

bin/startup.sh

Using CATALINA_BASE:   /usr/apache-tomcat-6.0.41
Using CATALINA_HOME:   /usr/apache-tomcat-6.0.41
Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
Using JRE_HOME:        /usr/java6
Using CLASSPATH:       /usr/apache-tomcat-6.0.41/bin/bootstrap.jar


What exact version of java?  I think that's your issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to