Setting only these ciphers in the JSSE connector:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I wrote a small Java program that makes a HttpsConnection. With it I have
no problem making a connection and getting these ciphers. So how come it
doesn't work in any browser? As far as I could see Chromium should have
support for AES256-GCM.
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 167, 191, 12, 139, 75, 162, 8, 69, 1, 129, 65, 129 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96
*** Finished
verify_data: { 4, 236, 148, 186, 214, 130, 187, 88, 249, 51, 183, 102 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, WRITE: TLSv1.2 Application Data, length = 224
main, READ: TLSv1.2 Application Data, length = 11472
If I also add the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Then my little Java program uses only these and not the GCM ciphers.
2014-05-21 12:21 GMT+02:00 Sverre Moe <sverre....@gmail.com>:
> I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for
> TLSv1.2. I then configured a list of strong ciphers only, that I wanted to
> use.
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150"
> clientAuth="false" SSLEnabled="true" scheme="https" secure="true"
> sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" keyAlias="tomcat"
> keystoreFile="/usr/share/tomcat/.keystore" keystorePass="**********"
> keystoreType="JKS"
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256"
> />
>
> I have tried running Tomcat with Java 7 and Java 8. Both of these should
> support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384.
> I have downloaded the Java cryptographic extensions policy files for both
> Java 7 and Java 8.
>
> The only way I get a connection is when I add the following ciphers:
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
>
> According to the specification all these ciphers are correct names:
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites
>
> According to the implementation in JSSE provider they are implemented as
> well to work with TLSv1.2
>
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
> Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only
> for TLS 1.2 or later.
>
>
> Also how come SSLLabs SSLTest tells me I do not have forward secrecy and
> are using RC4 ciphers. Thought when I set a limited list of ciphers only
> those can be used.
>
> I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat)
> to enable SSL debugging, but nothing shows up in the log files
> exec ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \
> -classpath "$CLASSPATH" \
> -Dcatalina.base="$CATALINA_BASE" \
> -Dcatalina.home="$CATALINA_HOME" \
> -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
> -Djava.io.tmpdir="$CATALINA_TMPDIR" ${DSECURITY_MANAGER} \
>
> -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \
>
> -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \
> -Djavax.net.debug=ssl \
> org.apache.catalina.startup.Bootstrap start
>
>
