Mark,
> On 31/08/2016 12:18, Kreuser, Peter wrote:
>
>
> Christopher,
>
> On 8/30/16 10:18 AM, Kreuser, Peter wrote:
>
> On 30/08/2016 10:23, Kreuser, Peter wrote:
>
> Hi all,
>
> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd
> proves that it is linked). I have set the cipher string to the
> newly supported ciphers:
>
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
>
> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE
> - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
>
> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RS
> A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
>
> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA
> - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
>
> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-G
> CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>
> HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>
> However I cannot connect with eg. ECDHE-ECDSA-CHACHA20-POLY1305.
> testssl.sh shows only the old ciphers from the plain openssl
> 1.0.2.
>
> Tomcat Version 8.5.4 Java 1.8.0_102
>
> Anything that I'm missing?
>
> Without seeing the full Connector config, don't know.
>
> Mark
>
> Mark, of course I should have done that:
>
> <Connector port="8843"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImple
> mentation"
>
> server="Apache Tomcat"
>
> allowTrace="false" maxThreads="150" SSLEnabled="true"
> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig
> honorCipherOrder="true" insecureRenegotiation="false"
> hostName="xxx.xxx.net" protocols="TLSv1.1+TLSv1.2"
> certificateVerification="false" disableCompression="true"
> disableSessionTickets="false"
> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECD
>
> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25
> 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-R
> SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E
> CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE
> - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA
> - -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-S
> HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
> HA:AES256-SHA:DES-CBC3-SHA:!DSS">
>
> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
>
> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" />
> </SSLHostConfig> </Connector>
>
> What client are you using? Hopefully openssl s_client with 1.1.0 or
> later. You might want to double-check the client is capable.
>
> - -chris>
>
>
> testssl.sh is running with an openssl 1.0.2 compiled with CHACHA20-support.
>
> I tried to manually access the website with this version and
> ECDHE-ECDSA-CHACHA20-POLY1305 without success.
>
>
> Don't you need a DSA cert to use that cipher?
>
> Mark
>
you may be right, with ECDHE-RSA-CHACHA20-POLY1305 still the same.
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
