-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Todd,
On 6/30/17 10:21 AM, Todd wrote: > Peter Kreuser wrote >>> >>> Can you provide a clean configuration that exhibits this >>> behavior? >>> >>> What are you using to test the effective configuration? >> >> Another question: are you sure that you hit the Connector that >> you configure? Tomcat should be reasonably configured in defaults >> with a current JDK... >> >> 8443 or the like are not scanned with ssllabs! So it may as well >> hit an apache on the same machine! >> >> Can you show detail on what ssllabs is complaining about? >> >> Best regards >> >> Peter > > Thank you Peter and Chris. > > I'm utilizing sslabs to check as well as just going to the site > with Chrome and looking in developer tools to see the protocol that > was selected. > > I understand that 8443 is not a normal port, I'm using ipchains to > redirect traffic from 443 to 8443. I believe that traffic is > specifically hitting this webserver, as changes such as adding SSL > or removing TLS 1.0 in the configuration file take immediate effect > after restarting the Tomcat service. Yup: if you use iptables (ipchains hasn't been used in ... decades?) to do port-redirection, then you are in fact hitting Tomcat / JVM (essentially) directly. > My current SSLHostConfig looks like this: > > <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" > honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> <Certificate > certificateKeystoreFile="...." certificateKeystorePassword="...." > type="RSA" /> </SSLHostConfig> So, with that configuration you should get an NIO connector and, if libtcnative is nearby, you should get the OpenSSL crypto provider. > But ssllabs reports the following ciphers: > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > None of these ciphers are included in my list, and changes to my > cipher list has no effect at all on what is displayed by ssllabs. > > I'm stuck, so any ideas or guidance is appreciated, thank you! Can you confirm whether or not you are using the OpenSSL provider? What version of OpenSSL are you using? These cipher suites should have well-known names and numeric identifiers (which is how the TLS handshake works), but it looks like the cipher suite names are somehow being confused. What happens if you narrow your cipher suite list down to a single cipher? Does ssllabs report just a single available cipher (even if it's not the one you configured)? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZVoWeAAoJEBzwKT+lPKRYL24P/13G5Ci+ipCnBmB9xJjRePrb 85eXRDWsda/b8bjbqvSL5ISJ/xo7GUdbeWo8alQ91Ms75iI12FXIasPDK7EBoMsc vhlecYY9ujevNroD0LEcEyiczo+DFh9NFc5nQEbpnNlkzcL8p1IJmpCjXKcPWI1k XObq5eqPbaSDtQnJ4P0Whu3qNo+PowrGk+vZxsZwBpgtHambkCSDXO4ACkdBBHse BmL3Acz4InT85UrYBVPkBm5JkoxibJLlY9xoW1UYs/9HoNMDfXsVhV3Ef4g+2DAM sB7gpEzgfo4CeYh0W7w7PBmKGSQ8LU+x5kMLE6Va6DFYQhFR9yMaFcuGxSPN7W1T rJcXh0W9li87HHgdfVkYZhnut+i6ScK0l7noZircQHst2iflIpnKQMJid/TBpKt4 UeIXmaFfpFFZRQlytVhITY+6y7IWlVzKSiJu614sYyvxC+C8/NzmX2pSYsMJOK8f mVyukWgzQOlYPXPwtOhDnHNsrgzJzEZs6pFdcFnNzEJU9HSV/SUiYzdHpq7eYsFG 59MBVRIq65M/8EWiojuM0EoBTwKUf0TvirrLG0SiJVkWBCaRpeJR99hIyPPJFzyZ e109n4BkG99mnYSLlG5VpU8QLpGS7sKT9V+wMf8o0f2eMNBCXBZkMsjBuo/OaDZQ cVKn7EwicNBygApz7iJu =56ql -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
