RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

Wed, 15 Apr 2015 10:23:50 -0700 

I also have Java 7 on the same host and got the same result.


________________________________________
From: Jason Jesso [jje...@global-matrix.com]
Sent: Wednesday, April 15, 2015 1:17 PM
To: Tomcat Users List
Subject: RE: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

I am using Java 1.6 on AIX plaform.

/usr/java6/bin/java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr15fp1-20140110_01(SR15 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 
jvmap3260sr15-20131231_180656 (JIT enabled, AOT enabled)
J9VM - 20131231_180656
JIT  - r9_20130920_46510ifx3
GC   - GA24_Java6_SR15_20131231_1152_B180656)
JCL  - 20140107_01

You think this is the issue?

________________________________________
From: David kerber [dcker...@verizon.net]
Sent: Wednesday, April 15, 2015 12:26 PM
To: Tomcat Users List
Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK)

On 4/15/2015 12:05 PM, Jason Jesso wrote:
> I have Tomcat 6.0.41 connector set-up with:
>
>
> SSLProtocol="TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>           TLS_RSA_WITH_AES_128_CBC_SHA256,
>           TLS_RSA_WITH_AES_128_CBC_SHA,
>           TLS_RSA_WITH_AES_256_CBC_SHA256,
>           TLS_RSA_WITH_AES_256_CBC_SHA"
>
>
> We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)".
>
>
> I also test my server using openssl like:
>
>
> openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null
>
> SSL-Session:
>      Protocol  : TLSv1
>      Cipher    : EXP-EDH-RSA-DES-CBC-SHA
>      Session-ID: 
> 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56
>      Session-ID-ctx:
>      Master-Key: 
> 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A
>      Key-Arg   : None
>      PSK identity: None
>      PSK identity hint: None
>      SRP username: None
>      Start Time: 1429113767
>      Timeout   : 300 (sec)
>      Verify return code: 19 (self signed certificate in certificate chain)
>
>
> It still connects with the EXPORT cipher.  I do not know why, since I thought 
> the ciphers I specify in the "ciphers" variable is good.
>
>
>
> This is my Tomcat start-up:
>
> bin/startup.sh
>
> Using CATALINA_BASE:   /usr/apache-tomcat-6.0.41
> Using CATALINA_HOME:   /usr/apache-tomcat-6.0.41
> Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp
> Using JRE_HOME:        /usr/java6
> Using CLASSPATH:       /usr/apache-tomcat-6.0.41/bin/bootstrap.jar

What exact version of java?  I think that's your issue.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to