Harish,

> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <harish....@gmail.com>:
> 
> Thanks for the response, Chris.
> 
> Below are my answers in order.
> To keep the response as short as possible, i have not included the ciphers
> list in the connector -
> 
> a) Tomcat 7.0.79 (will be updating to 7.0.82)
> b) JRE 1.80_144
> c) Our connector configuration is below.
> d) We are using NIO.
> e) I am using a simple java client that makes TLS connection to our tomcat
> on below port. I am capturing the SSL handshake.
> The way i tested the client preference is: Lets take the same example i
> gave in my first email i.e. clients preference is ABCDEF and the tomcat
> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true.
> During the 1st handshake connection, "A" cipher suite was chosen. I removed
> "A" from my tomcat connector, restarted the service, and did the connection
> test again.
> "B" was chosen during this 2nd handshake. Same test was continued and
> observed that CDEF were chosen next in order.
> I am expecting DEFABC as the order of preference as per the
> *useServerCipherSuitesOrder* setting.
> 
I believe that there is a misunderstanding. Your simple client does not seem to 
handle the situation correctly (even not at all).
I think if you request cipher B you will get B.

Please check with a ssl-tool like sslyze or testssl.sh. If your site is 
available on the internet, you could try ssllabs.com.

The settings seem to be OK, unless I do not see an incorrect formatting on my 
phone.

HTH,

Peter

> Let me know if i am missing anything or is my understanding is incorrect.
> 
> <Connector
>                id="orion.server.https"
>                acceptCount="100"
>                *useServerCipherSuitesOrder*="true"
>                ciphers="we have around 20 cipher suites listed..."
>                clientAuth="want"
> 
> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
>                compression="on"
>                compressionMinSize="2048"
>                disableUploadTimeout="true"
>                enableLookups="false"
>                keystoreFile="keystore/xyz"
>                keystorePass=""
>                maxConnections="500"
>                maxHttpHeaderSize="8192"
>                maxKeepAliveRequests="500"
>                maxThreads="250"
>                minSpareThreads="25"
>                noCompressionUserAgents="gozilla, traviata"
>                port="8443"
>                processorCache="500"
>                protocol="org.apache.coyote.http11.Http11NioProtocol"
>                scheme="https"
>                secure="true"
>                server="Undefined"
>                sessionCacheSize="400"
>                SSLEnabled="true"
>                sslProtocol="TLS"
>                sslEnabledProtocols="TLSv1.1, TLSv1.2"
>                truststoreFile="keystore/xyz"
>                truststorePass=""
>                truststoreType="jks"
>                URIEncoding="UTF-8" />
> 
> 
> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Harish,
>> 
>>> On 10/9/17 12:31 PM, Harish Krishnan wrote:
>>> Need your expert input here. Not sure what I am doing wrong,  but I
>>> cannot get this server preference cipher suites feature working.
>>> 
>>> My setup: Latest tomcat 7.x build (which supports
>>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
>>> 
>>> No matter what value I set to this attribute (true OR false OR
>>> undefined which is by default), I always see the Clients preference
>>> picked. As an example, if clients order is ABCDEF, and servers
>>> order is DEFABC, no matter what value I set to this
>>> useServerCipherSuitesOrder attribute, always the order selected is
>>> ABC...
>> 
>> What exact version of Tomcat are you using?
>> What exact version of Java are you using?
>> 
>> Please post your <Connector> configuration, minus any secrets.
>> 
>> Do you know if you are using the BIO, NIO, or APR connector?
>> 
>> How are you determining client-preference?
>> 
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
>> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
>> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
>> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
>> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
>> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
>> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
>> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
>> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
>> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
>> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
>> lPIZuxLUk5GBnA/vV8qtLIfK7cc=
>> =SuWg
>> -----END PGP SIGNATURE-----
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to