-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 8/30/16 10:18 AM, Kreuser, Peter wrote: >> On 30/08/2016 10:23, Kreuser, Peter wrote: >> >> Hi all, >> >> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd >> proves that it is linked). I have set the cipher string to the >> newly supported ciphers: >> >> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- >> >> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- >> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E >> >> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC >> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S >> >> HA:AES256-SHA:DES-CBC3-SHA:!DSS" >> >> However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305. >> testssl.sh shows only the old ciphers from the plain openssl >> 1.0.2. >> >> Tomcat Version 8.5.4 Java 1.8.0_102 >> >> Anything that I'm missing? >> >> >> Without seeing the full Connector config, don't know. >> >> Mark >> > > Mark, of course I should have done that: > > <Connector port="8843" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImple mentation" > > server="Apache Tomcat" > allowTrace="false" maxThreads="150" SSLEnabled="true" > defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol > className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig > honorCipherOrder="true" insecureRenegotiation="false" > hostName="xxx.xxx.net" protocols="TLSv1.1+TLSv1.2" > certificateVerification="false" disableCompression="true" > disableSessionTickets="false" > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECD HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-R SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA - -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA: AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S HA:AES256-SHA:DES-CBC3-SHA:!DSS"> > > <Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key" > certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" /> > </SSLHostConfig> </Connector> What client are you using? Hopefully openssl s_client with 1.1.0 or later. You might want to double-check the client is capable. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXxdNoAAoJEBzwKT+lPKRYYh8P/0/B+MlCuoVoVK2zW9MU1BI4 zFKgsKZHljGrqLaf3scOEhKY+tOP79Rg20fvdDh9Azdbu/lKSsy9rNJLID8nVThW N5fj6UWBMavDc8JCF7JL3tPjOlfzXEV8waOHZxnA6t5oiPid1qtMZp5GwXt9RwUI qQVkSMbsnxeLO6LCI9kdiInmH/By7stAdFLS/BK2wix7VRNYtaPEdMe1601829bY R7dwiP1i2iEWg2yk3p0QJkhejb9crXq1OJu6qYwVM7yozWh+2q3XPipEL4eqaye0 pkL/IKUbsTwb9YjFK6jl2rNgjMCXJ1ckABRD8SES6cQg9+purEDKTiP1J+XYYLG2 wzHY3hgfIVee9OInZWkIXN/5Z76t/4G7UC0SNhi5bms6I/PmrX9VBVM2NOVOEGG6 rxuNPgwY6SZk7XD4wP8l9AHAVpWz+gYmpN/Y8GK1lYlgXcC9vt3tjft/3Masdi5D ZrplIbNVp4pvj+A+BKnB/0NC+b2/qdzXmrDKJhYzrR1FuRlpdlQZpQRSRVknaEDJ 7s1K0FwthRUByfZaMRZslgmn4To4aqV2w50/HZK1F4mZBux6siVAKd1M4/jI3hWt 2/61KYNLA41bEA9n5YMg2xIhx+dp4hha4f8jTDtfZ/qlrC867/ywJVo238fa3C+f TiTxJHicQbRm3whdQKGG =ZV7k -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org