-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 8/30/16 10:18 AM, Kreuser, Peter wrote:
>> On 30/08/2016 10:23, Kreuser, Peter wrote:
>>
>> Hi all,
>>
>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd
>> proves that it is linked). I have set the cipher string to the
>> newly supported ciphers:
>>
>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
>>
>>
GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE
- -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
>> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS
A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
>>
>>
CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA
- -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
>> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G
CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>>
>>
HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>>
>> However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305.
>> testssl.sh shows only the old ciphers from the plain openssl
>> 1.0.2.
>>
>> Tomcat Version 8.5.4 Java 1.8.0_102
>>
>> Anything that I'm missing?
>>
>>
>> Without seeing the full Connector config, don't know.
>>
>> Mark
>>
>
> Mark, of course I should have done that:
>
> <Connector port="8843"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImple
mentation"
>
>
server="Apache Tomcat"
> allowTrace="false" maxThreads="150" SSLEnabled="true"
> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig
> honorCipherOrder="true" insecureRenegotiation="false"
> hostName="xxx.xxx.net" protocols="TLSv1.1+TLSv1.2"
> certificateVerification="false" disableCompression="true"
> disableSessionTickets="false"
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECD
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25
6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-R
SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E
CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
- -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA
- -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S
HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
HA:AES256-SHA:DES-CBC3-SHA:!DSS">
>
>
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" />
> </SSLHostConfig> </Connector>
What client are you using? Hopefully openssl s_client with 1.1.0 or
later. You might want to double-check the client is capable.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXxdNoAAoJEBzwKT+lPKRYYh8P/0/B+MlCuoVoVK2zW9MU1BI4
zFKgsKZHljGrqLaf3scOEhKY+tOP79Rg20fvdDh9Azdbu/lKSsy9rNJLID8nVThW
N5fj6UWBMavDc8JCF7JL3tPjOlfzXEV8waOHZxnA6t5oiPid1qtMZp5GwXt9RwUI
qQVkSMbsnxeLO6LCI9kdiInmH/By7stAdFLS/BK2wix7VRNYtaPEdMe1601829bY
R7dwiP1i2iEWg2yk3p0QJkhejb9crXq1OJu6qYwVM7yozWh+2q3XPipEL4eqaye0
pkL/IKUbsTwb9YjFK6jl2rNgjMCXJ1ckABRD8SES6cQg9+purEDKTiP1J+XYYLG2
wzHY3hgfIVee9OInZWkIXN/5Z76t/4G7UC0SNhi5bms6I/PmrX9VBVM2NOVOEGG6
rxuNPgwY6SZk7XD4wP8l9AHAVpWz+gYmpN/Y8GK1lYlgXcC9vt3tjft/3Masdi5D
ZrplIbNVp4pvj+A+BKnB/0NC+b2/qdzXmrDKJhYzrR1FuRlpdlQZpQRSRVknaEDJ
7s1K0FwthRUByfZaMRZslgmn4To4aqV2w50/HZK1F4mZBux6siVAKd1M4/jI3hWt
2/61KYNLA41bEA9n5YMg2xIhx+dp4hha4f8jTDtfZ/qlrC867/ywJVo238fa3C+f
TiTxJHicQbRm3whdQKGG
=ZV7k
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
