Yes, the host is behind an F5 load balacer, but AFAIK it should be passing all the TLS/SSL directly to the real host to handle.
On Thu, May 10, 2018 at 11:23:44PM +0000, Scott Hoenigman wrote: > Are you using a load balancer? > > > >Sent from my T-Mobile 4G LTE Device > > >-------- Original message -------- >From: David Wall <d.w...@computer.org> >Date: 5/10/18 6:15 PM (GMT-06:00) >To: users@tomcat.apache.org >Subject: Re: configuring ciphers for SSL Labs server test > >We're doing good with this: > > <SSLHostConfig certificateVerification="none" >protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true" >ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, >TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, >TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, >TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, >TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > > > > >On 5/10/18 2:45 PM, Baron Fujimoto wrote: >> I'm trying to improve our grade on SSL Labs SSL server test[1] for our >> Tomcat configuraton. Currently, their report caps our grade at B because, >> "This server does not support Authenticated encryption (AEAD) cipher >> suites". They report that we support the following cipher suites: >> >> # TLS 1.2 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >> >> # TLS 1.1 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >> >> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are >> using Java 1.8.0_162, and I believe we have the Java Cryptography >> Extension (JCE) properly installed. I have the following connector >> defined (this version explicitly lists ciphers I think should satisfy the >> AEAD cipher requirement[2]): >> >> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" >> address="0.0.0.0" >> port="8443" >> maxThreads="500" >> maxPostSize="100000" >> scheme="https" secure="true" >> defaultSSLHostConfigName="foo.example.edu" >> SSLEnabled="true" > >> <SSLHostConfig hostName="foo.example.edu" >> protocols="TLSv1.1+TLSv1.2+TLS1.3" >> certificateVerification="none" >> honorCipherOrder="true" >> >> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK >> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA >> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA >> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 >> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >> :!TLS_RSA_WITH_AES_128_CBC_SHA >> :!TLS_RSA_WITH_AES_256_CBC_SHA >> :!TLS_RSA_WITH_AES_128_CBC_SHA256 >> :!TLS_RSA_WITH_AES_256_CBC_SHA256 >> :!TLS_RSA_WITH_AES_128_GCM_SHA256 >> :!TLS_RSA_WITH_AES_256_GCM_SHA384 >> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 >> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 >> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 >> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA >> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA >> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > >> <Certificate certificateKeystoreType="pkcs12" >> >> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" > >> </Certificate> >> </SSLHostConfig> >> </Connector> >> >> I've mapped the cipher suite names using the OpenSSL cipher suite name >> list[3]. I originally started with >> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same >> result, so subsequently tried adding the specific ciphers shown above. The >> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher >> names may be used[4]. >> >> Any suggestions on what I may be doing wrong or for further troubleshooting? >> >> References: >> [1] <https://www.ssllabs.com/ssltest/analyze.html> >> [2] >> <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites> >> [3] >> <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES> >> [4] >> <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > -- Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
