Re: Obsolete cypher suit
On 13 April 2016 at 12:50, Mark Thomaswrote: > On 13/04/2016 12:43, Lyallex wrote: >> On 12 April 2016 at 19:26, Mark Thomas wrote: >>> On 12/04/2016 19:11, Lyallex wrote: On 12 April 2016 at 18:06, Lyallex wrote: > apache-tomcat-7.0.42 as standalone web server > jdk1.7.0_45 > Ubuntu 12.10 > > Greetings > > I'm sure this is an old chestnut but it's got me stumped > > I just purchased and installed my first ever ssl certificate > I had it installed and apparently running in no time. I should of > course have been suspicious that it all went so smoothly > but I though it was about time I got a break ... no such luck. > > Clicking the padlock in chrome I get > > Your connection to 192.168.1.68 is encrypted using an obsolete cipher > suit. > > The connection uses TLS 1.2. > > The connection is encrypted using AES_128_CBC with HMAC-SHA1 for > message authentication and ECDHE_RSA as the key exchange mechanism. jdk1.8.0.77 fixed it Should have know it was a Java (as opposed to Tomcat) problem as you were >>> >>> As of the next Tomcat 7 release, the SSL defaults have been improved so >>> a default configuration should not report any issues. >>> >>> Mark >> >> Now I'm confused, I thought Tomcat relied on the JSSE implementation >> in whatever version of Java that was used to start Tomcat >> to provide it's cipher suits. If this is correct how will a different >> version of Tomcat make a difference given that it's started with the >> same version of Java. If it's incorrect please forgive my boundlesss >> ignorance and stupidity. > > Happy to clarify. > > Tomcat is able to select which TLS versions and cipher suites are > enabled by default. The latest Tomcat version enables fewer cipher > suites by default (some less secure ones are removed) so the default > configuration is better. > > Users remain free to explicitly configure any cipher suite they wish > from those supported by the JSSE implementation provided by the JRE. > > Mark Good morning After a long night trying to figure out why Tomcat would not run with Java 1.8 on centOS I've finally got it working (wrong processor architecture, rookie mistake, tired) ssllabs now gives my server a B which is way better that an F There is one thing outstanding that I'm just too tired to figure out at the moment and I'm hoping someone will put me out of my misery. The one thing failing is the key exchage My tomcat server uses RSA as the key exchange mechanism when it needs to be using ECDHE_RSA When I start reading documentation on cipher suites my head starts spinning Does anyone feel like letting me know how to get tomcat to use ECDHE_RSA for the key exchange? Thanks I gotta get some sleep TTFN - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
On 13/04/2016 12:43, Lyallex wrote: > On 12 April 2016 at 19:26, Mark Thomaswrote: >> On 12/04/2016 19:11, Lyallex wrote: >>> On 12 April 2016 at 18:06, Lyallex wrote: apache-tomcat-7.0.42 as standalone web server jdk1.7.0_45 Ubuntu 12.10 Greetings I'm sure this is an old chestnut but it's got me stumped I just purchased and installed my first ever ssl certificate I had it installed and apparently running in no time. I should of course have been suspicious that it all went so smoothly but I though it was about time I got a break ... no such luck. Clicking the padlock in chrome I get Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit. The connection uses TLS 1.2. The connection is encrypted using AES_128_CBC with HMAC-SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism. >>> >>> jdk1.8.0.77 fixed it >>> >>> Should have know it was a Java (as opposed to Tomcat) problem >>> >>> as you were >> >> As of the next Tomcat 7 release, the SSL defaults have been improved so >> a default configuration should not report any issues. >> >> Mark > > Now I'm confused, I thought Tomcat relied on the JSSE implementation > in whatever version of Java that was used to start Tomcat > to provide it's cipher suits. If this is correct how will a different > version of Tomcat make a difference given that it's started with the > same version of Java. If it's incorrect please forgive my boundlesss > ignorance and stupidity. Happy to clarify. Tomcat is able to select which TLS versions and cipher suites are enabled by default. The latest Tomcat version enables fewer cipher suites by default (some less secure ones are removed) so the default configuration is better. Users remain free to explicitly configure any cipher suite they wish from those supported by the JSSE implementation provided by the JRE. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
On 12 April 2016 at 19:26, Mark Thomaswrote: > On 12/04/2016 19:11, Lyallex wrote: >> On 12 April 2016 at 18:06, Lyallex wrote: >>> apache-tomcat-7.0.42 as standalone web server >>> jdk1.7.0_45 >>> Ubuntu 12.10 >>> >>> Greetings >>> >>> I'm sure this is an old chestnut but it's got me stumped >>> >>> I just purchased and installed my first ever ssl certificate >>> I had it installed and apparently running in no time. I should of >>> course have been suspicious that it all went so smoothly >>> but I though it was about time I got a break ... no such luck. >>> >>> Clicking the padlock in chrome I get >>> >>> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit. >>> >>> The connection uses TLS 1.2. >>> >>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for >>> message authentication and ECDHE_RSA as the key exchange mechanism. >> >> jdk1.8.0.77 fixed it >> >> Should have know it was a Java (as opposed to Tomcat) problem >> >> as you were > > As of the next Tomcat 7 release, the SSL defaults have been improved so > a default configuration should not report any issues. > > Mark Now I'm confused, I thought Tomcat relied on the JSSE implementation in whatever version of Java that was used to start Tomcat to provide it's cipher suits. If this is correct how will a different version of Tomcat make a difference given that it's started with the same version of Java. If it's incorrect please forgive my boundlesss ignorance and stupidity. lyallex > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, On 4/12/16 2:32 PM, Christopher Schultz wrote: > Lyallex, > > On 4/12/16 2:11 PM, Lyallex wrote: >> On 12 April 2016 at 18:06, Lyallexwrote: >>> apache-tomcat-7.0.42 as standalone web server jdk1.7.0_45 >>> Ubuntu 12.10 >>> >>> Greetings >>> >>> I'm sure this is an old chestnut but it's got me stumped >>> >>> I just purchased and installed my first ever ssl certificate I >>> had it installed and apparently running in no time. I should of >>> course have been suspicious that it all went so smoothly but >>> I though it was about time I got a break ... no such luck. >>> >>> Clicking the padlock in chrome I get >>> >>> Your connection to 192.168.1.68 is encrypted using an obsolete >>> cipher suit. >>> >>> The connection uses TLS 1.2. >>> >>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 >>> for message authentication and ECDHE_RSA as the key exchange >>> mechanism. > >> jdk1.8.0.77 fixed it > >> Should have know it was a Java (as opposed to Tomcat) problem > > You did have this cipher suite configured in your , > though: > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > > That's the one Chrome was complaining about. (Though I'm not sure > why it doesn't like that cipher suite). Aaaand it's obvious, now. I was only looking at the cipher and hashing algorithms. I didn't see the "AES + CBC" which is a red flag these days. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcNP3kACgkQ9CaO5/Lv0PBx5ACfaz2VUHZNWnFr7QhCrWwLO9Db e98AnRC4t0Hkz5FTM7jUriXnI8uRhMjG =Xixo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Lyallex, On 4/12/16 2:11 PM, Lyallex wrote: > On 12 April 2016 at 18:06, Lyallexwrote: >> apache-tomcat-7.0.42 as standalone web server jdk1.7.0_45 Ubuntu >> 12.10 >> >> Greetings >> >> I'm sure this is an old chestnut but it's got me stumped >> >> I just purchased and installed my first ever ssl certificate I >> had it installed and apparently running in no time. I should of >> course have been suspicious that it all went so smoothly but I >> though it was about time I got a break ... no such luck. >> >> Clicking the padlock in chrome I get >> >> Your connection to 192.168.1.68 is encrypted using an obsolete >> cipher suit. >> >> The connection uses TLS 1.2. >> >> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for >> message authentication and ECDHE_RSA as the key exchange >> mechanism. > > jdk1.8.0.77 fixed it > > Should have know it was a Java (as opposed to Tomcat) problem You did have this cipher suite configured in your , though: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA That's the one Chrome was complaining about. (Though I'm not sure why it doesn't like that cipher suite). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlcNPyUACgkQ9CaO5/Lv0PCa4ACfUHcftICEAlwB25PExNjgw8CZ 4cEAoJKegblaMMmlFn/7CtH5t76cdWHI =SocL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
On 12/04/2016 19:11, Lyallex wrote: > On 12 April 2016 at 18:06, Lyallexwrote: >> apache-tomcat-7.0.42 as standalone web server >> jdk1.7.0_45 >> Ubuntu 12.10 >> >> Greetings >> >> I'm sure this is an old chestnut but it's got me stumped >> >> I just purchased and installed my first ever ssl certificate >> I had it installed and apparently running in no time. I should of >> course have been suspicious that it all went so smoothly >> but I though it was about time I got a break ... no such luck. >> >> Clicking the padlock in chrome I get >> >> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit. >> >> The connection uses TLS 1.2. >> >> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for >> message authentication and ECDHE_RSA as the key exchange mechanism. > > jdk1.8.0.77 fixed it > > Should have know it was a Java (as opposed to Tomcat) problem > > as you were As of the next Tomcat 7 release, the SSL defaults have been improved so a default configuration should not report any issues. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Obsolete cypher suit
On 12 April 2016 at 18:06, Lyallexwrote: > apache-tomcat-7.0.42 as standalone web server > jdk1.7.0_45 > Ubuntu 12.10 > > Greetings > > I'm sure this is an old chestnut but it's got me stumped > > I just purchased and installed my first ever ssl certificate > I had it installed and apparently running in no time. I should of > course have been suspicious that it all went so smoothly > but I though it was about time I got a break ... no such luck. > > Clicking the padlock in chrome I get > > Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit. > > The connection uses TLS 1.2. > > The connection is encrypted using AES_128_CBC with HMAC-SHA1 for > message authentication and ECDHE_RSA as the key exchange mechanism. jdk1.8.0.77 fixed it Should have know it was a Java (as opposed to Tomcat) problem as you were snip lyallex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org