AW: TCNative 1.2.8 with openssl 1.1.0

Tue, 30 Aug 2016 07:19:43 -0700 

> On 30/08/2016 10:23, Kreuser, Peter wrote:
>
> Hi all,
>
> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd proves that it 
> is
> linked). I have set the cipher string to the newly supported ciphers:
>
>                    
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
> HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>
> However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305. testssl.sh
> shows only the old ciphers from the plain openssl 1.0.2.
>
> Tomcat Version 8.5.4
> Java 1.8.0_102
>
> Anything that I'm missing?
>
>
> Without seeing the full Connector config, don't know.
>
> Mark
>

Mark, of course I should have done that:

  <Connector port="8843" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
             
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
             server="Apache Tomcat"
             allowTrace="false"
             maxThreads="150" SSLEnabled="true"
             defaultSSLHostConfigName="xxx.xxx.net" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
                   hostName="xxx.xxx.net"
                   protocols="TLSv1.1+TLSv1.2"
                   certificateVerification="false"
                   disableCompression="true"
                   disableSessionTickets="false"
                   
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS">
      <Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
                   certificateFile="${catalina.base}/conf/ssl/xxx.pem"
                   type="RSA" />
    </SSLHostConfig>
  </Connector>

Thanks.

Peter

Reply via email to