RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

Wed, 15 Apr 2015 10:45:11 -0700 

Actually my mistake, if I use Java 7 it seems I can't connect using openssl.  
It seems the secure connection does not even work when I point to Java7 .

The TLS works when I used the Java 6, but I'm still stuck with the EXPORT 
ciphers.


________________________________________
From: David kerber [dcker...@verizon.net]
Sent: Wednesday, April 15, 2015 1:34 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

On 4/15/2015 1:17 PM, Jason Jesso wrote:
> I am using Java 1.6 on AIX plaform.
>
> /usr/java6/bin/java -version
> java version "1.6.0"
> Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
> IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 
> jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
> J9VM - 20131231_180656
> JIT  - r9_20130920_46510ifx3
> GC   - GA24_Java6_SR15_20131231_1152_B180656)
> JCL  - 20140107_01
>
> You think this is the issue?

There's a chance of it, but I don't know how IBM's java versions compare
to Oracle's.  There were quite a few things that changed in late
versions of Java 6 and 7 w.r.t. encryption.

What exact version of java 7 do you have?  IMS, you need a late number
(45, maybe?).


>
> ________________________________________
> From: David kerber [dcker...@verizon.net]
> Sent: Wednesday, April 15, 2015 12:26 PM
> To: Tomcat Users List
> Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)
>
> On 4/15/2015 12:05 PM, Jason Jesso wrote:
>> I have Tomcat 6.0.41 connector set-up with:
>>
>>
>> SSLProtocol="TLSv1.1,TLSv1.2"
>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>>            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>>            TLS_RSA_WITH_AES_128_CBC_SHA256,
>>            TLS_RSA_WITH_AES_128_CBC_SHA,
>>            TLS_RSA_WITH_AES_256_CBC_SHA256,
>>            TLS_RSA_WITH_AES_256_CBC_SHA"
>>
>>
>> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>>
>>
>> I also test my server using openssl like:
>>
>>
>> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 
>> 2>/dev/null
>>
>> SSL-Session:
>>       Protocol  : TLSv1
>>       Cipher    : EXP-EDH-RSA-DES-CBC-SHA
>>       Session-ID: 
>> 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
>>       Session-ID-ctx:
>>       Master-Key: 
>> 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
>>       Key-Arg   : None
>>       PSK identity: None
>>       PSK identity hint: None
>>       SRP username: None
>>       Start Time: 1429113767
>>       Timeout   : 300 (sec)
>>       Verify return code: 19 (self signed certificate in certificate chain)
>>
>>
>> It still connects with the EXPORT cipher.  I do not know why, since I 
>> thought the ciphers I specify in the "ciphers" variable is good.
>>
>>
>>
>> This is my Tomcat start-up:
>>
>> bin/startup.sh
>>
>> Using CATALINA_BASE:   /usr/apache-tomcat-6.0.41
>> Using CATALINA_HOME:   /usr/apache-tomcat-6.0.41
>> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
>> Using JRE_HOME:        /usr/java6
>> Using CLASSPATH:       /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
>
> What exact version of java?  I think that's your issue.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to