-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/4/17 3:44 PM, James H. H. Lampert wrote: > On 10/4/17, 12:26 PM, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> James, > . . . >> Okay so you are in no way interfering with the defaults. That >> means you'll get (depending upon your exact versions of various >> things) a Tomcat which supports TLSv1 or later, and most of the >> cipher suites that are shown as "default" above. >> >> Your choice of TLS certificate may affect some of the things that >> you can do, but I see that you've got an RSA certificate from the >> output from SSLLabs, so you shouldn't have any problems with a >> DSS certificate or anything like that. (Use of DSS certs these >> days is fairly rare). > . . . >> Strange. I would have expected Tomcat to enable more cipher >> suites with a default configuration given the SSLInfo output >> above. >> >> Are you sure you are using the same Java version with Tomcat as >> you did to run those commands above? > > Dear Mr. Schultz: "Chris" is fine. We're all friends, here. > It sure looks like the same Java version. Here is what the manager > returns: >> Apache Tomcat/8.5.14 (Debian) 1.7.0_151-b01 Oracle Corporation >> Linux 3.16.0-4-amd64 amd64 > > It would definitely be helpful if the OS/400 names of the cipher > suites more precisely matched the Java names. To recap, the QSSLCSL > system value on the AS/400 shows (using the OS/400 naming > conventions) >> *RSA_AES_128_CBC_SHA *RSA_RC4_128_SHA *RSA_RC4_128_MD5 >> *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA *RSA_DES_CBC_SHA >> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 *RSA_NULL_SHA >> *RSA_NULL_MD5 If you know how to "read" cipher suite descriptions, the differences don't matter much. They are all made-up of the following components: 1. protocol (not shown in OpenSSL-style names, like those above) 2. authentication algorithm (usually RSA, ECDH, or ECDHE) 3. bulk (symmetric) cipher algorithm (e.g. RC4, AES-128, 3DES, Camellia) This includes the "block cipher mode e.g. CBC, GCM, etc.) 4. signature algorithm (e.g. MD5, SHA, etc.) The differences between the cipher suite names in different tools comes down to how expressive they are. For example, Java says "SSL_" or "TLS_" before every cipher, but that's largely useless. Some names in different dialects show different levels of detail about the underlying algorithms, or are more readable. Take this one for example. Java (and SSLLabs) calls it "TLS_RSA_WITH_AES_128_CBC_SHA" but the same algorithm is called "RSA_AES_128_CBC_SHA" by OpenSSL and similar tools. It's all still in there.. it's just that OpenSSL doesn't bother with the "TLS_" prefix and the "_WITH_" embedded in the middle. When it all comes down to it, the TLS (nee SSL) spec defines certain cipher suites by "cipher id" which is a numeric, explicitly-defined set of crypto primitives combined into a "cipher suite", which will be negotiated by the client and server when they perform their initial handshake. You can read all the gory details here[1]. For example, the aforementioned RSA_AES_128_CBC_SHA cipher suite is cipher 0x00002F. It doesn't matter what the tool calls it; cipher 0x00002f always has those criteria. Of course, they aren't very readable. That document is a bit out of date, but it does show you how things were back in 2009, and makes you wonder why it took so damned long for The World to adopt TLSv1.2. - -chris [1] https://www.thesprawl.org/research/tls-and-ssl-cipher-suites/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVR4odHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiQORAAsV9+BFL06kve1kCU y42ojIStrzWvoE8yKxVxjfTL1DuaGiLMtmiS+/QfeJWL2E5lWCbolA2i+BDJ5wQB 4MH7iVBbKpRxodyDUuoVI9IE3zuYYxe8bQnVbyfkCl8a1WPGTjAURqFTQHJ3UqI4 CGN1LzQrvVBzJ6WjMu8tOTjm5758pJhI3kwfJ/NSw6gOXguhwMC9uTtxhzhBm1TE +vIOCccuqjpo/tAZRBK6OPtBHA5yydQjk+vEpUdvurV+vLlSkV+7bpmymWVZtJKF 4XaDuCglKeHYut2/CcEW3+D2JuCjHH6FD08Qp/ft4NiDNG8gPfrO4KBaXd+dQ6Hq DF6/fvcTQacXpyuPJ5FShXjgd9hweBD4GC1D4pzkdfXtMUtBzlB6PzDNd72Tqq6w Uf3fgfiVnEZ6ObMonGyX7LcxCRh3yWVA/WzgexBbFxk3WNkvM6/vcbk4+CfPuPuF sVnw8OzmxeT5nmyy4oNxiAxM93W0CTxA3yPEN/ETSwKvgVlmWyCfmtP1+lq20OZh JedWCjG4+QmCWk4U1RdKWnl0Dxzk0vTAkrT7REGf084pDc4JiZUjA5/FJgdvq7V6 nDFrkVmXnOaCtk3L0p0NVEodXlqSdOaO/6qF+MqNLIKAdNRgDqRAI4gggM4GlBhf kYqj6DPpSrNxGE0jd0Eub3dB3RA= =iFq6 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
