Thank you for catching my typo and for the information On Mon, Mar 2, 2015 at 2:55 PM, Konstantin Kolinko <knst.koli...@gmail.com> wrote:
> 2015-03-03 1:45 GMT+03:00 Eric <cam...@gmail.com>: > > I am trying to change the ciphers that my Tomcat 7 server supports. I am > > using the APR connector. Here's the connector information in server.xml > > with the line saying which ciphers to support: > > > > <Connector port="8443" executor="edgeExecutor" > maxHttpHeaderSize="32768" > > enableLookups="false" disableUploadTimeout="true" > > connectionTimeout="3000" > > socketBuffer="122880" > > maxKeepAliveRequests="1" > > scheme="https" secure="true" > > SSLProtocol="TLSv1" > > SSLEnabled="true" > > SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt" > > SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key" > > SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" /> > > SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256" > > "/>" closes the tag. > > Your "SSLCipherSuite" is not an attribute, but a plain text that > follows the tag. > > The above also misses the "protocol" attribute. If you are using APR > connector you would better select it explicitly instead of relying on > autodetection. If autodetection fails you may end up with plain HTTP > on that port. > > > I shut down and started Tomcat back up. > > > > When I scan this server using NMAP and a script that enumerates all of > the > > SSL ciphers, I get this result: > > > > $ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com > > > > Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST > > Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX) > > Host is up (0.019s latency). > > rDNS record for X.XX.XX.XX: d.mydomain.com > > PORT STATE SERVICE > > 443/tcp open https > > | ssl-enum-ciphers: > > | SSLv3: No supported ciphers found > > | TLSv1.0: > > | ciphers: > > | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak > > | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong > > | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong > > | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong > > | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong > > | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong > > | TLS_DHE_RSA_WITH_DES_CBC_SHA - weak > > | TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong > > | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken > > | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken > > | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken > > | TLS_DH_anon_WITH_AES_128_CBC_SHA - broken > > | TLS_DH_anon_WITH_AES_256_CBC_SHA - broken > > | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken > > | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken > > | TLS_DH_anon_WITH_DES_CBC_SHA - broken > > | TLS_DH_anon_WITH_RC4_128_MD5 - broken > > | TLS_DH_anon_WITH_SEED_CBC_SHA - broken > > | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak > > | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak > > | TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak > > | TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong > > | TLS_RSA_WITH_AES_128_CBC_SHA - strong > > | TLS_RSA_WITH_AES_256_CBC_SHA - strong > > | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong > > | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong > > | TLS_RSA_WITH_DES_CBC_SHA - weak > > | TLS_RSA_WITH_IDEA_CBC_SHA - weak > > | TLS_RSA_WITH_RC4_128_MD5 - strong > > | TLS_RSA_WITH_RC4_128_SHA - strong > > | TLS_RSA_WITH_SEED_CBC_SHA - strong > > | compressors: > > | NULL > > |_ least strength: broken > > > > Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds > > > > Why it is still supporting all of those other ciphers? I only told it to > > support one. Am I doing something wrong? > > > > OS/version information: > > > > CentOS release 6.5 (Final) > > apr-1.3.9-5.el6_2.x86_64 > > apr-devel-1.3.9-5.el6_2.x86_64 > > apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of > > Tomcat, could it be that an option was turned off that prevents changing > > the SSL cipher? How would I check?) > > > 7.0.32? > > http://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5 > http://tomcat.apache.org/security-7.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
