subject:"Re\: Obsolete cypher suit"

Re: Obsolete cypher suit

2016-04-14 Thread Lyallex

On 13 April 2016 at 12:50, Mark Thomas  wrote:
> On 13/04/2016 12:43, Lyallex wrote:
>> On 12 April 2016 at 19:26, Mark Thomas  wrote:
>>> On 12/04/2016 19:11, Lyallex wrote:
 On 12 April 2016 at 18:06, Lyallex  wrote:
> apache-tomcat-7.0.42 as standalone web server
> jdk1.7.0_45
> Ubuntu 12.10
>
> Greetings
>
> I'm sure this is an old chestnut but it's got me stumped
>
> I just purchased and installed my first ever ssl certificate
> I had it installed and apparently running in no time. I should of
> course have been suspicious that it all went so smoothly
> but I though it was about time I got a break ... no such luck.
>
> Clicking the padlock in chrome I get
>
> Your connection to 192.168.1.68 is encrypted using an obsolete cipher 
> suit.
>
> The connection uses TLS 1.2.
>
> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
> message authentication and ECDHE_RSA as the key exchange mechanism.

 jdk1.8.0.77 fixed it

 Should have know it was a Java (as opposed to Tomcat) problem

 as you were
>>>
>>> As of the next Tomcat 7 release, the SSL defaults have been improved so
>>> a default configuration should not report any issues.
>>>
>>> Mark
>>
>> Now I'm confused, I thought Tomcat relied on the JSSE implementation
>> in whatever version of Java that was used to start Tomcat
>> to provide it's cipher suits. If this is correct how will a different
>> version of Tomcat make a difference given that it's started with the
>> same version of Java. If it's incorrect please forgive my boundlesss
>> ignorance and stupidity.
>
> Happy to clarify.
>
> Tomcat is able to select which TLS versions and cipher suites are
> enabled by default. The latest Tomcat version enables fewer cipher
> suites by default (some less secure ones are removed) so the default
> configuration is better.
>
> Users remain free to explicitly configure any cipher suite they wish
> from those supported by the JSSE implementation provided by the JRE.
>
> Mark

Good morning

After a long night trying to figure out why Tomcat would not run with
Java 1.8 on centOS I've finally got it working
(wrong processor architecture, rookie mistake, tired)

ssllabs now gives my server a B which is way better that an F

There is one thing outstanding that I'm just too tired to figure out
at the moment and I'm hoping someone will put me out of my misery.

The one thing failing is the key exchage

My tomcat server uses RSA  as the key exchange mechanism when it needs
to be using ECDHE_RSA

When I start reading documentation on cipher suites my head starts spinning

Does anyone feel like letting me know how to get tomcat to use
ECDHE_RSA for the key exchange?

Thanks
I gotta get some sleep
TTFN

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-13 Thread Mark Thomas

On 13/04/2016 12:43, Lyallex wrote:
> On 12 April 2016 at 19:26, Mark Thomas  wrote:
>> On 12/04/2016 19:11, Lyallex wrote:
>>> On 12 April 2016 at 18:06, Lyallex  wrote:
 apache-tomcat-7.0.42 as standalone web server
 jdk1.7.0_45
 Ubuntu 12.10

 Greetings

 I'm sure this is an old chestnut but it's got me stumped

 I just purchased and installed my first ever ssl certificate
 I had it installed and apparently running in no time. I should of
 course have been suspicious that it all went so smoothly
 but I though it was about time I got a break ... no such luck.

 Clicking the padlock in chrome I get

 Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit.

 The connection uses TLS 1.2.

 The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
 message authentication and ECDHE_RSA as the key exchange mechanism.
>>>
>>> jdk1.8.0.77 fixed it
>>>
>>> Should have know it was a Java (as opposed to Tomcat) problem
>>>
>>> as you were
>>
>> As of the next Tomcat 7 release, the SSL defaults have been improved so
>> a default configuration should not report any issues.
>>
>> Mark
> 
> Now I'm confused, I thought Tomcat relied on the JSSE implementation
> in whatever version of Java that was used to start Tomcat
> to provide it's cipher suits. If this is correct how will a different
> version of Tomcat make a difference given that it's started with the
> same version of Java. If it's incorrect please forgive my boundlesss
> ignorance and stupidity.

Happy to clarify.

Tomcat is able to select which TLS versions and cipher suites are
enabled by default. The latest Tomcat version enables fewer cipher
suites by default (some less secure ones are removed) so the default
configuration is better.

Users remain free to explicitly configure any cipher suite they wish
from those supported by the JSSE implementation provided by the JRE.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-13 Thread Lyallex

On 12 April 2016 at 19:26, Mark Thomas  wrote:
> On 12/04/2016 19:11, Lyallex wrote:
>> On 12 April 2016 at 18:06, Lyallex  wrote:
>>> apache-tomcat-7.0.42 as standalone web server
>>> jdk1.7.0_45
>>> Ubuntu 12.10
>>>
>>> Greetings
>>>
>>> I'm sure this is an old chestnut but it's got me stumped
>>>
>>> I just purchased and installed my first ever ssl certificate
>>> I had it installed and apparently running in no time. I should of
>>> course have been suspicious that it all went so smoothly
>>> but I though it was about time I got a break ... no such luck.
>>>
>>> Clicking the padlock in chrome I get
>>>
>>> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit.
>>>
>>> The connection uses TLS 1.2.
>>>
>>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
>>> message authentication and ECDHE_RSA as the key exchange mechanism.
>>
>> jdk1.8.0.77 fixed it
>>
>> Should have know it was a Java (as opposed to Tomcat) problem
>>
>> as you were
>
> As of the next Tomcat 7 release, the SSL defaults have been improved so
> a default configuration should not report any issues.
>
> Mark

Now I'm confused, I thought Tomcat relied on the JSSE implementation
in whatever version of Java that was used to start Tomcat
to provide it's cipher suits. If this is correct how will a different
version of Tomcat make a difference given that it's started with the
same version of Java. If it's incorrect please forgive my boundlesss
ignorance and stupidity.

lyallex



> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-12 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

On 4/12/16 2:32 PM, Christopher Schultz wrote:
> Lyallex,
> 
> On 4/12/16 2:11 PM, Lyallex wrote:
>> On 12 April 2016 at 18:06, Lyallex  wrote:
>>> apache-tomcat-7.0.42 as standalone web server jdk1.7.0_45
>>> Ubuntu 12.10
>>> 
>>> Greetings
>>> 
>>> I'm sure this is an old chestnut but it's got me stumped
>>> 
>>> I just purchased and installed my first ever ssl certificate I 
>>> had it installed and apparently running in no time. I should of
>>>  course have been suspicious that it all went so smoothly but
>>> I though it was about time I got a break ... no such luck.
>>> 
>>> Clicking the padlock in chrome I get
>>> 
>>> Your connection to 192.168.1.68 is encrypted using an obsolete 
>>> cipher suit.
>>> 
>>> The connection uses TLS 1.2.
>>> 
>>> The connection is encrypted using AES_128_CBC with HMAC-SHA1
>>> for message authentication and ECDHE_RSA as the key exchange 
>>> mechanism.
> 
>> jdk1.8.0.77 fixed it
> 
>> Should have know it was a Java (as opposed to Tomcat) problem
> 
> You did have this cipher suite configured in your ,
> though:
> 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 
> That's the one Chrome was complaining about. (Though I'm not sure
> why it doesn't like that cipher suite).

Aaaand it's obvious, now. I was only looking at the cipher and hashing
algorithms. I didn't see the "AES + CBC" which is a red flag these days.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcNP3kACgkQ9CaO5/Lv0PBx5ACfaz2VUHZNWnFr7QhCrWwLO9Db
e98AnRC4t0Hkz5FTM7jUriXnI8uRhMjG
=Xixo
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-12 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lyallex,

On 4/12/16 2:11 PM, Lyallex wrote:
> On 12 April 2016 at 18:06, Lyallex  wrote:
>> apache-tomcat-7.0.42 as standalone web server jdk1.7.0_45 Ubuntu
>> 12.10
>> 
>> Greetings
>> 
>> I'm sure this is an old chestnut but it's got me stumped
>> 
>> I just purchased and installed my first ever ssl certificate I
>> had it installed and apparently running in no time. I should of 
>> course have been suspicious that it all went so smoothly but I
>> though it was about time I got a break ... no such luck.
>> 
>> Clicking the padlock in chrome I get
>> 
>> Your connection to 192.168.1.68 is encrypted using an obsolete
>> cipher suit.
>> 
>> The connection uses TLS 1.2.
>> 
>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for 
>> message authentication and ECDHE_RSA as the key exchange
>> mechanism.
> 
> jdk1.8.0.77 fixed it
> 
> Should have know it was a Java (as opposed to Tomcat) problem

You did have this cipher suite configured in your , though:

  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

That's the one Chrome was complaining about. (Though I'm not sure why
it doesn't like that cipher suite).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlcNPyUACgkQ9CaO5/Lv0PCa4ACfUHcftICEAlwB25PExNjgw8CZ
4cEAoJKegblaMMmlFn/7CtH5t76cdWHI
=SocL
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-12 Thread Mark Thomas

On 12/04/2016 19:11, Lyallex wrote:
> On 12 April 2016 at 18:06, Lyallex  wrote:
>> apache-tomcat-7.0.42 as standalone web server
>> jdk1.7.0_45
>> Ubuntu 12.10
>>
>> Greetings
>>
>> I'm sure this is an old chestnut but it's got me stumped
>>
>> I just purchased and installed my first ever ssl certificate
>> I had it installed and apparently running in no time. I should of
>> course have been suspicious that it all went so smoothly
>> but I though it was about time I got a break ... no such luck.
>>
>> Clicking the padlock in chrome I get
>>
>> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit.
>>
>> The connection uses TLS 1.2.
>>
>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
>> message authentication and ECDHE_RSA as the key exchange mechanism.
> 
> jdk1.8.0.77 fixed it
> 
> Should have know it was a Java (as opposed to Tomcat) problem
> 
> as you were

As of the next Tomcat 7 release, the SSL defaults have been improved so
a default configuration should not report any issues.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

2016-04-12 Thread Lyallex

On 12 April 2016 at 18:06, Lyallex  wrote:
> apache-tomcat-7.0.42 as standalone web server
> jdk1.7.0_45
> Ubuntu 12.10
>
> Greetings
>
> I'm sure this is an old chestnut but it's got me stumped
>
> I just purchased and installed my first ever ssl certificate
> I had it installed and apparently running in no time. I should of
> course have been suspicious that it all went so smoothly
> but I though it was about time I got a break ... no such luck.
>
> Clicking the padlock in chrome I get
>
> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit.
>
> The connection uses TLS 1.2.
>
> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
> message authentication and ECDHE_RSA as the key exchange mechanism.

jdk1.8.0.77 fixed it

Should have know it was a Java (as opposed to Tomcat) problem

as you were

snip

lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Obsolete cypher suit

Re: Obsolete cypher suit

Re: Obsolete cypher suit

Re: Obsolete cypher suit

Re: Obsolete cypher suit

Re: Obsolete cypher suit

Re: Obsolete cypher suit

7 matches

Site Navigation

Mail list logo

Footer information