On 31/08/2016 12:18, Kreuser, Peter wrote:
>
> Christopher,
>
>> On 8/30/16 10:18 AM, Kreuser, Peter wrote:
>>
>> On 30/08/2016 10:23, Kreuser, Peter wrote:
>>
>> Hi all,
>>
>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd
>> proves that it is linked). I have set the cipher string to the
>> newly supported ciphers:
>>
>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
>>
>> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE
>> - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
>>
>> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS
>> A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
>>
>> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA
>> - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
>>
>> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G
>> CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>>
>> HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>>
>>
>> However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305.
>> testssl.sh shows only the old ciphers from the plain openssl
>> 1.0.2.
>>
>> Tomcat Version 8.5.4 Java 1.8.0_102
>>
>> Anything that I'm missing?
>>
>> Without seeing the full Connector config, don't know.
>>
>> Mark
>>
>> Mark, of course I should have done that:
>>
>> <Connector port="8843"
>> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImple
>> mentation"
>>
>> server="Apache Tomcat"
>>
>> allowTrace="false" maxThreads="150" SSLEnabled="true"
>> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol
>> className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig
>> honorCipherOrder="true" insecureRenegotiation="false"
>> hostName="xxx.xxx.net" protocols="TLSv1.1+TLSv1.2"
>> certificateVerification="false" disableCompression="true"
>> disableSessionTickets="false"
>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECD
>>
>> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25
>> 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-R
>> SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E
>> CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
>> - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA
>> - -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S
>> HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>> HA:AES256-SHA:DES-CBC3-SHA:!DSS">
>>
>>
>> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
>>
>> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" />
>> </SSLHostConfig> </Connector>
>>
>>
>> What client are you using? Hopefully openssl s_client with 1.1.0 or
>> later. You might want to double-check the client is capable.
>>
>> - -chris>
>
> testssl.sh is running with an openssl 1.0.2 compiled with CHACHA20-support.
>
> I tried to manually access the website with this version and
> ECDHE-ECDSA-CHACHA20-POLY1305 without success.
Don't you need a DSA cert to use that cipher?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
