I have Tomcat 6.0.41 connector set-up with:
SSLProtocol="TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA"
We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
I also test my server using openssl like:
openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
SSL-Session:
Protocol : TLSv1
Cipher : EXP-EDH-RSA-DES-CBC-SHA
Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
Session-ID-ctx:
Master-Key:
28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1429113767
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
It still connects with the EXPORT cipher. I do not know why, since I thought
the ciphers I specify in the "ciphers" variable is good.
This is my Tomcat start-up:
bin/startup.sh
Using CATALINA_BASE: /usr/apache-tomcat-6.0.41
Using CATALINA_HOME: /usr/apache-tomcat-6.0.41
Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
Using JRE_HOME: /usr/java6
Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
I appreciate any help.
Thx
