Re: Problem specifying cipher suites in tomcat6
Am 29.05.2015 um 23:31 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ramon, On 5/29/15 4:42 PM, Ramon Pfeiffer wrote: On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. Apparently, I need to correct myself a bit. Tomcat6 is installed via the RHEL repositories, the latest version offered by RHEL is 6.0.24: # yum list tomcat6.x86_64 tomcat6.x86_64 6.0.24-83.el6_6 So it seems as if the latest version of tomcat6 is installed already, giving me the cipher suite headaches nonetheless. Any further ideas? Thanks, Ramon smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem specifying cipher suites in tomcat6
Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. Anyway, I'm working on a RHEL6 system. A java -version yields # java -version java version 1.7.0_79 OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) APR is not installed. Thanks, Ramon smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem specifying cipher suites in tomcat6
On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Thanks so far for all your responses (and corresponding warnings)! Ramon smime.p7s Description: S/MIME Cryptographic Signature
Problem specifying cipher suites in tomcat6
Hi all, I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. However, when testing the connector with ssllabs.com, a bunch of ciphers I didn't specify show up. Here is the connector config: Connector port=443 protocol=HTTP/1.1 enableLookups=false SSLEnabled=true scheme=https secure=true clientAuth=false keystoreFile={omitted} sslProtocols = TLSv1,TLSv1.1,TLSv1.2 ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 / Just for the sake of the argument, I specified only a single suite. This is what ssllabs gives me as list of possible ciphers: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Obviously, this is not what I specified. When configuring ciphers=ALL the result Anybody can shed some light on what I did wrong? Thanks for any help. Best regards Ramon Pfeiffer -- -- Universität Tübingen Zentrum für Datenverarbeitung E-Mail: ramon.pfeif...@uni-tuebingen.de smime.p7s Description: S/MIME Cryptographic Signature