AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Kreuser, Peter Thu, 27 Apr 2017 07:58:11 -0700

Hi (WhoEverYouMayBe - you may want to sign with a name???),


> Server version:        Apache Tomcat/8.5.11
> Server built:          Jan 10 2017 21:02:52 UTC
> Server number:         8.5.11.0
> OS Name:               Linux
> OS Version:            3.10.0-514.16.1.el7.x86_64
> Architecture:          amd64
> Java Home:             /usr/java/jdk1.8.0_121/jre
> JVM Version:           1.8.0_121-b13
> JVM Vendor:            Oracle Corporation
> CATALINA_BASE:         /opt/apache-tomcat-8.5.11
> CATALINA_HOME:         /opt/apache-tomcat-8.5.11
> Command line argument: 
> -Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.properties
> Command line argument: 
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> Command line argument: -Duser.timezone=US/Eastern
> Command line argument: -Xms128m
> Command line argument: -Xmx1024m
> Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
> Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
> Command line argument: 
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> Command line argument: -Djavax.net.debug=ssl:handshake
> Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
> Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
> Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp
> 
> Have tested this with both 8.5.11 and 8.5.14.
> There are NO logged Exceptions or errors.
> Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2
> Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 and 
> TLSv1.2
> Not being able to turn off TLSv1.0 results in PCI compliance problems.
> 
> Each SSLHostConfig needs to be able to support different ciphers, since 
> some sites are PCI and some sites support legacy data interfaces.
> 
> I couldn't exactly figure out the expected syntax for the protocols, so 
> I tried... (9.0 style)
> protocols="+TLSv1.1+TLSv1.2"
> protocols="+TLSv1.1,+TLSv1.2"
> protocols="+TLSv1.1 +TLSv1.2"
> protocols="-TLSv1+TLSv1.1+TLSv1.2"
> protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"
> 
> ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfig 
> style). These ciphers are NOT in the ciphers list.
> TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
> TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH sect571r1 
> (eq. 15360 bits RSA)   FS
> 
> server.xml Connector snippet (old style - don't get TLSv1.0)
>      <Connector executor="tomcatThreadPool"
>                 address="192.168.52.13" port="80" protocol="HTTP/1.1"
>                 connectionTimeout="20000"
>                 redirectPort="443" />
> 
>     <Connector executor="tomcatThreadPool"
>                 address="192.168.52.13" port="443"
>                 protocol="org.apache.coyote.http11.Http11NioProtocol"
>                 SSLEnabled="true" scheme="https" secure="true"
>                 keystoreFile="./conf/keystore.jks" keystorePass="mypass"
>                 keyAlias="myalias1"
>                 clientAuth="false"
>                 useServerCipherSuitesOrder="true"
>                 sslEnabledProtocols="TLSv1.1,TLSv1.2"
>                 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>                 (etc)
>                 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
> 
>     <Connector executor="tomcatThreadPool"
>                 address="192.168.52.15" port="80" protocol="HTTP/1.1"
>                 connectionTimeout="20000"
>                 redirectPort="443" />
> 
>      <Connector executor="tomcatThreadPool"
>                 address="192.168.52.15" port="443"
>                 protocol="org.apache.coyote.http11.Http11NioProtocol"
>                 SSLEnabled="true" scheme="https" secure="true"
>                 keystoreFile="./conf/keystore.jks" keystorePass="mypass"
>                 keyAlias="myalias2"
>                 clientAuth="false"
>                 useServerCipherSuitesOrder="true"
>                 sslEnabledProtocols="TLSv1.1,TLSv1.2"
>                 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>                 (etc)
>                 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
> 
> 
> 
> server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
>      <Connector address="192.168.52.11" port="443"
>                 protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>                 SSLEnabled="true" scheme="https" secure="true"
>                 defaultSSLHostConfigName="www.mydomain1.com"
>                 maxThreads="150" compression="false" enableLookups="false" >
> 
>          <SSLHostConfig hostName="www.mydomain1.com">
>              <Certificate certificateKeystoreFile="conf/keystore.jks"
>                           certificateKeystorePassword="mypass"
>                           certificateKeyAlias="mydomain1.com"
>                           type="RSA" />
>                 honorCipherOrder="true"
>                 protocols="+TLSv1.1+TLSv1.2"
>                 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>                 (etc)
>                 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
>          </SSLHostConfig>
> 
>          <SSLHostConfig hostName="www.mydomain2.com">
>              <Certificate certificateKeystoreFile="conf/keystore.jks"
>                           certificateKeystorePassword="mypass"
>                           certificateKeyAlias="mydomain2.com"
>                           type="RSA" />
>                 honorCipherOrder="true"
>                 protocols="+TLSv1.1+TLSv1.2"
>                 ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>                 (etc)
>                 TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
>          </SSLHostConfig>
> 
> Thanks in advanced for your help !!!
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
>

Apparently the following works, and from my understanding openssl- and 
java-syntax are supported from 8.5. onwards.

      sslEnabledProtocols="TLSv1.1, TLSv1.2" <-- if java is used
      
        protocols="TLSv1.1+TLSv1.2"<-- if openssl is used

<Connector port="8443"
            protocol="org.apache.coyote.http11.Http11Nio2Protocol"
            
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            allowTrace="false"
            maxThreads="150"
            SSLEnabled="true"
            compression="on"
            scheme="https"
            server="Apache Tomcat"
            secure="true"
            defaultSSLHostConfigName="xxx" >
    <SSLHostConfig honorCipherOrder="true"
                   certificateVerification="false"
                   protocols="TLSv1.1+TLSv1.2"
                   
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"
 >
    </SSLHostConfig>


I guess the (etc) is very interesting to know to be able to find the culprit of 
this finding.

Best regards

Peter





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Reply via email to