Hmm, I'm now getting an A grade using:
<SSLHostConfig hostName="cas-dev.its.hawaii.edu"
protocols="TLSv1.1+TLSv1.2+TLS1.3"
certificateVerification="none"
honorCipherOrder="true"
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!PSK" >
If I'm sufficiently motivated next week, I'll see if I can sort out exactly what
the deal was. But for now, it's Friday and pau hana time...
(yes, tomcat 8.5.x and Java 1.8_x)
On Fri, May 11, 2018 at 07:39:25AM +0100, Mark Thomas wrote:
>On 11/05/18 03:35, Baron Fujimoto wrote:
>> Yes, the host is behind an F5 load balacer, but AFAIK it should be passing
>> all the TLS/SSL directly to the real host to handle.
>
>You don't say which Tomcat version is being used. I assume one of the
>8.5.x versions since the 8.5.x docs are referenced.
>
>8.5.x should get an A from SSLLabs with the default configuration:
>https://wiki.apache.org/tomcat/Security/Ciphers
>
>I recently updated that page but 8.5.x was getting a A two years ago as
>well.
>
>Are you sure Java 8 is being used?
>
>Mark
>
>
>>
>> On Thu, May 10, 2018 at 11:23:44PM +0000, Scott Hoenigman wrote:
>>> Are you using a load balancer?
>>>
>>>
>>>
>>> Sent from my T-Mobile 4G LTE Device
>>>
>>>
>>> -------- Original message --------
>>> From: David Wall <d.w...@computer.org>
>>> Date: 5/10/18 6:15 PM (GMT-06:00)
>>> To: users@tomcat.apache.org
>>> Subject: Re: configuring ciphers for SSL Labs server test
>>>
>>> We're doing good with this:
>>>
>>> <SSLHostConfig certificateVerification="none"
>>> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true"
>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
>>> >
>>>
>>>
>>> On 5/10/18 2:45 PM, Baron Fujimoto wrote:
>>>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our
>>>> Tomcat configuraton. Currently, their report caps our grade at B because,
>>>> "This server does not support Authenticated encryption (AEAD) cipher
>>>> suites". They report that we support the following cipher suites:
>>>>
>>>> # TLS 1.2
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> # TLS 1.1
>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>>
>>>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are
>>>> using Java 1.8.0_162, and I believe we have the Java Cryptography
>>>> Extension (JCE) properly installed. I have the following connector
>>>> defined (this version explicitly lists ciphers I think should satisfy the
>>>> AEAD cipher requirement[2]):
>>>>
>>>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>> address="0.0.0.0"
>>>> port="8443"
>>>> maxThreads="500"
>>>> maxPostSize="100000"
>>>> scheme="https" secure="true"
>>>> defaultSSLHostConfigName="foo.example.edu"
>>>> SSLEnabled="true" >
>>>> <SSLHostConfig hostName="foo.example.edu"
>>>> protocols="TLSv1.1+TLSv1.2+TLS1.3"
>>>> certificateVerification="none"
>>>> honorCipherOrder="true"
>>>>
>>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
>>>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>> :!TLS_RSA_WITH_AES_128_CBC_SHA
>>>> :!TLS_RSA_WITH_AES_256_CBC_SHA
>>>> :!TLS_RSA_WITH_AES_128_CBC_SHA256
>>>> :!TLS_RSA_WITH_AES_256_CBC_SHA256
>>>> :!TLS_RSA_WITH_AES_128_GCM_SHA256
>>>> :!TLS_RSA_WITH_AES_256_GCM_SHA384
>>>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>>> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
>>>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
>>>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
>>>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>>>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
>>>> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
>>>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>>>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
>>>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
>>>> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
>>>> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>>>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA
>>>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA
>>>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
>>>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >
>>>> <Certificate certificateKeystoreType="pkcs12"
>>>>
>>>> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" >
>>>> </Certificate>
>>>> </SSLHostConfig>
>>>> </Connector>
>>>>
>>>> I've mapped the cipher suite names using the OpenSSL cipher suite name
>>>> list[3]. I originally started with
>>>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same
>>>> result, so subsequently tried adding the specific ciphers shown above. The
>>>> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher
>>>> names may be used[4].
>>>>
>>>> Any suggestions on what I may be doing wrong or for further
>>>> troubleshooting?
>>>>
>>>> References:
>>>> [1] <https://www.ssllabs.com/ssltest/analyze.html>
>>>> [2]
>>>> <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites>
>>>> [3]
>>>> <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES>
>>>> [4]
>>>> <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
--
Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
