Re: Disable low grade encryption
Chris, I already posted solution. I had to set unlimited strength cryptography policy. Unlimited strength JCE is available from Sun on same download page as JDK. There are 2 jar files that must be copied in $JDK_HOME/jre/lib/secuirty It so simple. Regards, Max Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Chris, | | Thank You. I just got solution from colleague. I was going to post it here. Yes, please post your solution, including complete instructions. Post it under a new thread so folks who haven't been reading this one will see it. Also, specifically suggest that this information be added to the SSL Howto. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeqHj8ACgkQ9CaO5/Lv0PD6TgCcC+0nBSy8uk1m/AK2MeQbfvVK 8+kAnjqyqJccZLGF+nT3AOCrx6GWsZ/n =Toiz -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Chris, | | Thank You. I just got solution from colleague. I was going to post it here. Yes, please post your solution, including complete instructions. Post it under a new thread so folks who haven't been reading this one will see it. Also, specifically suggest that this information be added to the SSL Howto. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeqHj8ACgkQ9CaO5/Lv0PD6TgCcC+0nBSy8uk1m/AK2MeQbfvVK 8+kAnjqyqJccZLGF+nT3AOCrx6GWsZ/n =Toiz -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Chris, Thank You. I just got solution from colleague. I was going to post it here. Installing unlimited strength cryptography policy fixed the problem. Cipher I posted is from Java6. I think all Tomcats with SSL must be running with such policy now. May be it is good to post it to tomcats ssl docs. Thanks All, Max Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | compression="on" | compressionMinSize="2048" | noCompressionUserAgents="gozilla, traviata" | compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain" Try removing this compression stuff while you get your cipher working. | ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" |keystoreFile="conf/keystore" You should definitely use a full path to your keystore. | JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA Have you checked that SSLSocket.getEnabledCipherSuites returns this particular cipher suite? From the javadoc, setting the cipher suite arbitrarily could fail: http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[]) For instance, when I run this simple program from my command line: import java.util.Arrays; import javax.net.ssl.SSLSocketFactory; public class CipherSuites { ~public static void main(String[] args) ~{ ~SSLSocketFactory sslsf = (SSLSocketFactory)SSLSocketFactory.getDefault(); ~String[] ciphers = sslsf.getDefaultCipherSuites(); ~Arrays.sort(ciphers); ~for(int i=0; ihttp://enigmail.mozdev.org iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB =0eAv -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | compression="on" | compressionMinSize="2048" | noCompressionUserAgents="gozilla, traviata" | compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain" Try removing this compression stuff while you get your cipher working. | ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" |keystoreFile="conf/keystore" You should definitely use a full path to your keystore. | JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA Have you checked that SSLSocket.getEnabledCipherSuites returns this particular cipher suite? From the javadoc, setting the cipher suite arbitrarily could fail: http://java.sun.com/j2se/1.5.0/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String[]) For instance, when I run this simple program from my command line: import java.util.Arrays; import javax.net.ssl.SSLSocketFactory; public class CipherSuites { ~public static void main(String[] args) ~{ ~SSLSocketFactory sslsf = (SSLSocketFactory)SSLSocketFactory.getDefault(); ~String[] ciphers = sslsf.getDefaultCipherSuites(); ~Arrays.sort(ciphers); ~for(int i=0; ihttp://enigmail.mozdev.org iEYEARECAAYFAkeqE/4ACgkQ9CaO5/Lv0PD5AwCfcnlb//GcKGAJtphFTjbmR73a XUMAnAmtNkqc+Clc42q1yz+lhZh99yIB =0eAv -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Chris, tomcat 6.0.14 java 6 compressableMimeType="text/html,text/xml,text/javascript,text/css,text/javascript,text/plain" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA" keystoreFile="conf/keystore" keystorePass="changeit" keystoreType="PKCS12" /> I added JAVA_OPTS="$JAVA_OPTS "-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA to catalina.sh also Thanks, Max Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Right now I am using pure Java solution with keystore. | I am debating to move to APR. What version of Tomcat are you using? Can you post your configuration from server.xml? That would be very helpful in diagnosing your problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeoqAgACgkQ9CaO5/Lv0PB6oACglaD/n5x/uZP1BJ7i50tFtOV6 EekAn2lJ0kh+oEg4h9A5YSGax25QDUZg =O0wC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | Right now I am using pure Java solution with keystore. | I am debating to move to APR. What version of Tomcat are you using? Can you post your configuration from server.xml? That would be very helpful in diagnosing your problem. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeoqAgACgkQ9CaO5/Lv0PB6oACglaD/n5x/uZP1BJ7i50tFtOV6 EekAn2lJ0kh+oEg4h9A5YSGax25QDUZg =O0wC -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Disable low grade encryption
Right now I am using pure Java solution with keystore. I am debating to move to APR. Thanks, Max On Feb 5, 2008 5:21 PM, Christopher Schultz <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Max, > > Max Sevenfold wrote: > | I would like to disable low grade encryption in Tomcat. > > Are you using Tomcat's native APR library? > > - -chris > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkeofvAACgkQ9CaO5/Lv0PDpCQCgpijCHIyzf0dZXxZTNGxZdRWq > yMUAnjaBwv2iRpnSWy9FTd2JMVhy6Uc1 > =yg4K > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: Disable low grade encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Max, Max Sevenfold wrote: | I would like to disable low grade encryption in Tomcat. Are you using Tomcat's native APR library? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeofvAACgkQ9CaO5/Lv0PDpCQCgpijCHIyzf0dZXxZTNGxZdRWq yMUAnjaBwv2iRpnSWy9FTd2JMVhy6Uc1 =yg4K -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]