2015-03-03 1:45 GMT+03:00 Eric <cam...@gmail.com>: > I am trying to change the ciphers that my Tomcat 7 server supports. I am > using the APR connector. Here's the connector information in server.xml > with the line saying which ciphers to support: > > <Connector port="8443" executor="edgeExecutor" maxHttpHeaderSize="32768" > enableLookups="false" disableUploadTimeout="true" > connectionTimeout="3000" > socketBuffer="122880" > maxKeepAliveRequests="1" > scheme="https" secure="true" > SSLProtocol="TLSv1" > SSLEnabled="true" > SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt" > SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key" > SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" /> > SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"
"/>" closes the tag. Your "SSLCipherSuite" is not an attribute, but a plain text that follows the tag. The above also misses the "protocol" attribute. If you are using APR connector you would better select it explicitly instead of relying on autodetection. If autodetection fails you may end up with plain HTTP on that port. > I shut down and started Tomcat back up. > > When I scan this server using NMAP and a script that enumerates all of the > SSL ciphers, I get this result: > > $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com > > Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST > Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX) > Host is up (0.019s latency). > rDNS record for X.XX.XX.XX: d.mydomain.com > PORT STATE SERVICE > 443/tcp open https > | ssl-enum-ciphers: > | SSLv3: No supported ciphers found > | TLSv1.0: > | ciphers: > | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak > | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong > | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak > | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong > | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken > | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken > | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken > | TLS_DH_anon_WITH_AES_128_CBC_SHA - broken > | TLS_DH_anon_WITH_AES_256_CBC_SHA - broken > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken > | TLS_DH_anon_WITH_DES_CBC_SHA - broken > | TLS_DH_anon_WITH_RC4_128_MD5 - broken > | TLS_DH_anon_WITH_SEED_CBC_SHA - broken > | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak > | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak > | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak > | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong > | TLS_RSA_WITH_AES_128_CBC_SHA - strong > | TLS_RSA_WITH_AES_256_CBC_SHA - strong > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong > | TLS_RSA_WITH_DES_CBC_SHA - weak > | TLS_RSA_WITH_IDEA_CBC_SHA - weak > | TLS_RSA_WITH_RC4_128_MD5 - strong > | TLS_RSA_WITH_RC4_128_SHA - strong > | TLS_RSA_WITH_SEED_CBC_SHA - strong > | compressors: > | NULL > |_ least strength: broken > > Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds > > Why it is still supporting all of those other ciphers? I only told it to > support one. Am I doing something wrong? > > OS/version information: > > CentOS release 6.5 (Final) > apr-1.3.9-5.el6_2.x86_64 > apr-devel-1.3.9-5.el6_2.x86_64 > apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of > Tomcat, could it be that an option was turned off that prevents changing > the SSL cipher? How would I check?) 7.0.32? http://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5 http://tomcat.apache.org/security-7.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
