On 29/11/2023 10:46, Markus Schlegel wrote:
<snip/>
Changing the config to add ":-CBC" to the default config as suggested
by Mark in bugzilla does not have any effect. Still Grade B, 10 weak
out of 12. It seems to me that -CBC might not be a valid option at
all?
Mark got different results when he run the ssllabs tests. That might
be caused by different TLS certificates used? I am using a certificate
created with a RSA-2048bits Key and SHA256withRSA signature algorithm.
No clue if this causes any difference to Mark's setup.
My test was with the default localhost certificate we use for the Tomcat
unit tests (the name mismatch was ignored). It is also has a 2048 bit
key and uses SHA256withRSA for the signature.
Anyone which knows if and how the certificate influences the selection of
possible ciphers?
Yes it does. For TLS < 1.3, the cxipher suite specifies the key exchange
mechanism and that needs to match the server certificate.
Anyone having similar problems?
Anyone successful in excluding all ciphers with "CBC" ?
Forget Tomcat for a minute and try this.
First check which OpenSSL version you are using with
openssl version
I get
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
on the machine I am writing this on but its behaviour is consistent with
results I get with other versions.
Then compare the outputs for
openssl ciphers -v 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'
openssl ciphers -v 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH'
openssl ciphers -v
'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH'
openssl ciphers -v 'DH'
openssl ciphers -v 'ECDH'
My main point is that there is no overlap between DH and ECDH. Your
cipher configuration isn't quite doing what you think it is doing.
You should also test
openssl ciphers -v 'CBC'
Can you share (privately if necessary) the host name of your server. I'd
like to compare the SSL Labs results side by side.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
