how does one divine EPR change from APR to AJP or NIO based on keystoreType? if we use curl --key-type <type> Private key file type (DER/PEM/ENG) there is NO relationship to EPR implementation because there is no EPR curl is implementing what does keystoreType have to do with the choice of EPR ?
explain this algorithm please Martin ______________________________________________ do not alter this email communication> Date: Wed, 9 Jan 2013 12:22:27 -1000 > From: ba...@hawaii.edu > To: users@tomcat.apache.org > Subject: Re: Restricting ciphers > > On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote: > >2013/1/9 Baron Fujimoto <ba...@hawaii.edu>: > >> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. > >> My understanding is that the attack applies only to CBC ciphers, and that > >> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of > >> ciphers that Tomcat uses with the following config for a connector: > >> > >> <Connector protocol="HTTP/1.1" SSLEnabled="true" > >> address="0.0.0.0" > >> port="8443" > >> maxThreads="150" scheme="https" secure="true" > >> keystoreFile="/path/to/keystore" > >> keystoreType="pkcs12" > >> ciphers="TLS_RSA_WITH_RC4_128_SHA, > >> TLS_RSA_WITH_RC4_128_MD5, > >> SSL_CK_RC4_128_WITH_MD5" > >> clientAuth="false" sslProtocol="TLS" /> > >> > >> However, when I test this by attempting connections with a script[*] that > >> iterates through the set of ciphers available to openssl, it appears to > >> successfully connect with the following set of ciphers: > >> > >> AES128-SHA > >> DES-CBC-SHA > >> DES-CBC3-SHA > >> DHE-RSA-AES128-SHA > >> EDH-RSA-DES-CBC-SHA > >> EDH-RSA-DES-CBC3-SHA > >> EXP-DES-CBC-SHA > >> EXP-EDH-RSA-DES-CBC-SHA > >> EXP-RC4-MD5 > >> EXP-RC4-MD5 > >> RC4-MD5 > >> RC4-MD5 > >> RC4-SHA > >> > >> [*] The script basically parses the output of the following command: > >> openssl s_client -cipher "$cipher" -connect $SERVER > >> > >> Am I misunderstanding the use of the "ciphers" parameter? Or is there > >> perhaps something in my testing methodology that accounts for these > >> unexpected results? Any advice would be appreciated. > >> > > > >As can be seen from your usage of "keystoreType" attribute, you are > >using Java implementation of the Connector, not openssl/APR one. > > > >You should look into Java documentation for their cipher names. > > > >See this thread from October 2009: > >http://markmail.org/message/zn4namfhypyxum23 > > Ahh, that was it! It did not occur to me that OpenSSL and Java might > name the ciphers differently. If I restrict the ciphers to those > from the (differently named) set used by Java, it works as expected. > Mahalo! > > ciphers="SSL_RSA_WITH_RC4_128_MD5, > SSL_RSA_WITH_RC4_128_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_RC4_128_SHA" > > -baron > -- > Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum desendus pantorum > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >