-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 8/31/16 7:21 AM, Mark Thomas wrote: > On 31/08/2016 12:18, Kreuser, Peter wrote: >> >> Christopher, >> >>> On 8/30/16 10:18 AM, Kreuser, Peter wrote: >>> >>> On 30/08/2016 10:23, Kreuser, Peter wrote: >>> >>> Hi all, >>> >>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd >>> proves that it is linked). I have set the cipher string to the >>> newly supported ciphers: >>> >>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E C >>> >>> DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- >>> >>> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 :DHE >>> >>> - - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- >>> >>> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-R S >>> >>> A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E >>> >>> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE - -RSA >>> >>> - - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC >>> >>> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128- G >>> >>> CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S >>> >>> HA:AES256-SHA:DES-CBC3-SHA:!DSS" >>> >>> >>> However I cannot connect with eg. >>> ECDHE-ECDSA-CHACHA20-POLY1305. testssl.sh shows only the old >>> ciphers from the plain openssl 1.0.2. >>> >>> Tomcat Version 8.5.4 Java 1.8.0_102 >>> >>> Anything that I'm missing? >>> >>> Without seeing the full Connector config, don't know. >>> >>> Mark >>> >>> Mark, of course I should have done that: >>> >>> <Connector port="8843" >>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImp le >>> >>> mentation" >>> >>> server="Apache Tomcat" >>> >>> allowTrace="false" maxThreads="150" SSLEnabled="true" >>> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol >>> className="org.apache.coyote.http2.Http2Protocol" /> >>> <SSLHostConfig honorCipherOrder="true" >>> insecureRenegotiation="false" hostName="xxx.xxx.net" >>> protocols="TLSv1.1+TLSv1.2" certificateVerification="false" >>> disableCompression="true" disableSessionTickets="false" >>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E CD >>> >>> >>> HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25 >>> 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:D HE-R >>> >>> SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E >>> CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:E CDHE >>> >>> - - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R SA >>> - >>> -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES2 56-S >>> >>> HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA: >>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES1 28-S >>> >>> HA:AES256-SHA:DES-CBC3-SHA:!DSS"> >>> >>> >>> <Certificate >>> certificateKeyFile="${catalina.base}/conf/ssl/xxx.key" >>> >>> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA" >>> /> </SSLHostConfig> </Connector> >>> >>> >>> What client are you using? Hopefully openssl s_client with >>> 1.1.0 or later. You might want to double-check the client is >>> capable. >>> >>> - -chris> >> >> testssl.sh is running with an openssl 1.0.2 compiled with >> CHACHA20-support. >> >> I tried to manually access the website with this version and >> ECDHE-ECDSA-CHACHA20-POLY1305 without success. > > Don't you need a DSA cert to use that cipher? Yep. It's used for authentication only -- EDCHE is of course being used for key exchange. Nice catch. Peter, this isn't working because this cipher suite can't be used with your RSA certificate: you'll need a DSA cert. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXxy0vAAoJEBzwKT+lPKRYmFgP/3M8/Lle0Ix7khbZKt991eG2 nOxzLjacdOtkbDfonYfAwQuzQqK55uT3bOFs+zlm8En3E4+4nnmAg3u77AdfN1xT KyTwHivMhPrH/CJi5glSgyGvu5sfVDe9S2Lc4QBfEzh5Szaugc/pUQEoFtMpo0ZR 9ddcazLdCEJRGucMPWG6ClpVVYMU6g1ZQr0dAOmsuZn7w+rPzMM5gjx3EsCM6jhK s692+mF4PNe5g3ZGLkEd0apgyevulRKv/zFbiNajRjrHjV6JdQ3T/VusuyC/R0Re SBwG2DmnPMe8+v491Nvo7q2Z3MqQLqSNvk4kmiXtJKUyAsC6ufMQy61mXA+7PJAR Rb1tm+szXymtzbnhVjGFv53QkwmiQB5ryOjjtR17e55wHuStGhfrZe64N8hIqM8M iBJ5rZQS6WY4XMSPWFKwaW8WSXgnyEpVjoEtQcxm+cAImzeLALIydw2SGEC8/wNC H4YZ4j0mwT02i22YG7+ciPYiyh9CnLryURez5NxKOVC0ePReEtPdu1K+4Zgw+y3/ zIayysLJ+JQ+SUN5ZuTCecjt5y2BxjHfrRwNSAqdyzdLCR4ZfUaRnavGA7FxvwUQ nJXgYXP0JAqO+pA49oPpVHg1wJbbWxG23EHzBHpw/tMWpbGGHVQReTwv2j0J4UGS QjqgRBdsQIEJMElKAjkt =xmOP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org