In short: What's the best way to configure ciphers, matching in tomcat and openssl, to get widest browser compatability without sacrificing security?
In long: I'm running tomcat with client-certificate authentication behind a proxy made by F5 [LTM, "Local Traffic Manager", is the specific product]. The LTM is basically a reverse proxy. You hand it your server's certificate and private keys, then tell it to "do that SSL proxy thing". It conducts a MITM attack; listening, modifying, and watching your traffic for sketchy behaviour ["Wait... why is that IRC instead of HTTP?"]. Skeevy as it sounds as I've described it, I've actually so far been very happy with it. For example, rather than routing with SNAT, the proxy injects an X-Forwarded-For header into the HTTP stream; my server cannot even address/route to anything outside, but I can still configure tomcat to log the originating address, and it's still TLS end-to-end. The proxy comes with a default set of ciphers configured which resembles openssl cipher string: !SSLv2:!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:@SPEED I believe this string corresponds to a tomcat cipher configuration: TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_EXPORT_WITH_RC4_40_MD5, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_DES_CBC_SHA, TLS_RSA_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA This works fine with IE9,10 and Chrome. But recent firefox versions don't like it, I get the error correspondong to "no cypher overlap" [which I presume is missing overlap between firefox and tomcat, because when the overlap is missing between tomcat and the F5, the F5 just drops the connection] I'm using the most recent Tomcat7 release right now, with the latest JDK7 release. Does anyone have any suggestions as to what set of options will go best for me, both in the openssl-based proxy, and in tomcat? Thanks! Gary --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
