Re: Disable low grade encryption
Chris, I already posted solution. I had to set unlimited strength cryptography policy. Unlimited strength JCE is available from Sun on same download page as JDK. There are 2 jar files that must be copied in $JDK_HOME/jre/lib/secuirty It so simple. Regards, Max Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Chris, | | Thank You. I just got solution from colleague. I was going to post it here. Yes, please post your solution, including complete instructions. Post it under a new thread so folks who haven't been reading this one will see it. Also, specifically suggest that this information be added to the SSL Howto. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeqHj8ACgkQ9CaO5/Lv0PD6TgCcC+0nBSy8uk1m/AK2MeQbfvVK 8+kAnjqyqJccZLGF+nT3AOCrx6GWsZ/n =Toiz -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Chris, | | Thank You. I just got solution from colleague. I was going to post it here. Yes, please post your solution, including complete instructions. Post it under a new thread so folks who haven't been reading this one will see it. Also, specifically suggest that this information be added to the SSL Howto. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeqHj8ACgkQ9CaO5/Lv0PD6TgCcC+0nBSy8uk1m/AK2MeQbfvVK 8+kAnjqyqJccZLGF+nT3AOCrx6GWsZ/n =Toiz -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Chris,
Thank You. I just got solution from colleague. I was going to post it here.
Installing unlimited strength cryptography policy fixed the problem.
Cipher I posted is from Java6.
I think all Tomcats with SSL must be running with such policy now.
May be it is good to post it to tomcats ssl docs.
Thanks All,
Max
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Max,
Max Sevenfold wrote:
| compression="on"
| compressionMinSize="2048"
| noCompressionUserAgents="gozilla, traviata"
|
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain"
Try removing this compression stuff while you get your cipher working.
| ciphers="TLS_RSA_WITH_AES_256_CBC_SHA"
|keystoreFile="conf/keystore"
You should definitely use a full path to your keystore.
| JAVA_OPTS="$JAVA_OPTS
"-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
Have you checked that SSLSocket.getEnabledCipherSuites returns this
particular cipher suite? From the javadoc, setting the cipher suite
arbitrarily could fail:
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[])
For instance, when I run this simple program from my command line:
import java.util.Arrays;
import javax.net.ssl.SSLSocketFactory;
public class CipherSuites
{
~public static void main(String[] args)
~{
~SSLSocketFactory sslsf =
(SSLSocketFactory)SSLSocketFactory.getDefault();
~String[] ciphers = sslsf.getDefaultCipherSuites();
~Arrays.sort(ciphers);
~for(int i=0; ihttp://enigmail.mozdev.org
iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a
XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB
=0eAv
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Max,
Max Sevenfold wrote:
| compression="on"
| compressionMinSize="2048"
| noCompressionUserAgents="gozilla, traviata"
|
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain"
Try removing this compression stuff while you get your cipher working.
| ciphers="TLS_RSA_WITH_AES_256_CBC_SHA"
|keystoreFile="conf/keystore"
You should definitely use a full path to your keystore.
| JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA
Have you checked that SSLSocket.getEnabledCipherSuites returns this
particular cipher suite? From the javadoc, setting the cipher suite
arbitrarily could fail:
http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[])
For instance, when I run this simple program from my command line:
import java.util.Arrays;
import javax.net.ssl.SSLSocketFactory;
public class CipherSuites
{
~public static void main(String[] args)
~{
~SSLSocketFactory sslsf =
(SSLSocketFactory)SSLSocketFactory.getDefault();
~String[] ciphers = sslsf.getDefaultCipherSuites();
~Arrays.sort(ciphers);
~for(int i=0; ihttp://enigmail.mozdev.org
iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a
XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB
=0eAv
-END PGP SIGNATURE-
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Chris, tomcat 6.0.14 java 6 compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/keystore" keystorePass="changeit" keystoreType="PKCS12" /> I added JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA to catalina.sh also Thanks, Max Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Right now I am using pure Java solution with keystore. | I am debating to move to APR. What version of Tomcat are you using? Can you post your configuration from server.xml? That would be very helpful in diagnosing your problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeoqAgACgkQ9CaO5/Lv0PB6oACglaD/n5x/uZP1BJ7i50tFtOV6 EekAn2lJ0kh+oEg4h9A5YSGax25QDUZg =O0wC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Right now I am using pure Java solution with keystore. | I am debating to move to APR. What version of Tomcat are you using? Can you post your configuration from server.xml? That would be very helpful in diagnosing your problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeoqAgACgkQ9CaO5/Lv0PB6oACglaD/n5x/uZP1BJ7i50tFtOV6 EekAn2lJ0kh+oEg4h9A5YSGax25QDUZg =O0wC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Right now I am using pure Java solution with keystore. I am debating to move to APR. Thanks, Max On Feb 5, 2008 5:21 PM, Christopher Schultz <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Max, > > Max Sevenfold wrote: > | I would like to disable low grade encryption in Tomcat. > > Are you using Tomcat's native APR library? > > - -chris > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkeofvAACgkQ9CaO5/Lv0PDpCQCgpijCHIyzf0dZXxZTNGxZdRWq > yMUAnjaBwv2iRpnSWy9FTd2JMVhy6Uc1 > =yg4K > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | I would like to disable low grade encryption in Tomcat. Are you using Tomcat's native APR library? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeofvAACgkQ9CaO5/Lv0PDpCQCgpijCHIyzf0dZXxZTNGxZdRWq yMUAnjaBwv2iRpnSWy9FTd2JMVhy6Uc1 =yg4K -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
