-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 8/31/16 7:21 AM, Mark Thomas wrote:
> On 31/08/2016 12:18, Kreuser, Peter wrote:
>>
>> Christopher,
>>
>>> On 8/30/16 10:18 AM, Kreuser, Peter wrote:
>>>
>>> On 30/08/2016 10:23, Kreuser, Peter wrote:
>>>
>>> Hi all,
>>>
>>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd
>>> proves that it is linked). I have set the cipher string to the
>>> newly supported ciphers:
>>>
>>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E
C
>>>
>>>
DHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
>>>
>>> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
:DHE
>>>
>>>
- - -RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
>>>
>>> AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-R
S
>>>
>>>
A-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:E
>>>
>>> CDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE
- -RSA
>>>
>>>
- - -AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-EC
>>>
>>> DSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-
G
>>>
>>>
CM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-S
>>>
>>> HA:AES256-SHA:DES-CBC3-SHA:!DSS"
>>>
>>>
>>> However I cannot connect with eg.
>>> ECDHE-ECDSA-CHACHA20-POLY1305. testssl.sh shows only the old
>>> ciphers from the plain openssl 1.0.2.
>>>
>>> Tomcat Version 8.5.4 Java 1.8.0_102
>>>
>>> Anything that I'm missing?
>>>
>>> Without seeing the full Connector config, don't know.
>>>
>>> Mark
>>>
>>> Mark, of course I should have done that:
>>>
>>> <Connector port="8843"
>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>>> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImp
le
>>>
>>>
mentation"
>>>
>>> server="Apache Tomcat"
>>>
>>> allowTrace="false" maxThreads="150" SSLEnabled="true"
>>> defaultSSLHostConfigName="xxx.xxx.net" > <UpgradeProtocol
>>> className="org.apache.coyote.http2.Http2Protocol" />
>>> <SSLHostConfig honorCipherOrder="true"
>>> insecureRenegotiation="false" hostName="xxx.xxx.net"
>>> protocols="TLSv1.1+TLSv1.2" certificateVerification="false"
>>> disableCompression="true" disableSessionTickets="false"
>>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E
CD
>>>
>>>
>>>
HE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES25
>>> 6-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:D
HE-R
>>>
>>>
SA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:E
>>> CDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:E
CDHE
>>>
>>>
- - -ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-R
SA
>>> -
>>> -AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES2
56-S
>>>
>>>
HA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:
>>> AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES1
28-S
>>>
>>>
HA:AES256-SHA:DES-CBC3-SHA:!DSS">
>>>
>>>
>>> <Certificate
>>> certificateKeyFile="${catalina.base}/conf/ssl/xxx.key"
>>>
>>> certificateFile="${catalina.base}/conf/ssl/xxx.pem" type="RSA"
>>> /> </SSLHostConfig> </Connector>
>>>
>>>
>>> What client are you using? Hopefully openssl s_client with
>>> 1.1.0 or later. You might want to double-check the client is
>>> capable.
>>>
>>> - -chris>
>>
>> testssl.sh is running with an openssl 1.0.2 compiled with
>> CHACHA20-support.
>>
>> I tried to manually access the website with this version and
>> ECDHE-ECDSA-CHACHA20-POLY1305 without success.
>
> Don't you need a DSA cert to use that cipher?
Yep. It's used for authentication only -- EDCHE is of course being
used for key exchange.
Nice catch. Peter, this isn't working because this cipher suite can't
be used with your RSA certificate: you'll need a DSA cert.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXxy0vAAoJEBzwKT+lPKRYmFgP/3M8/Lle0Ix7khbZKt991eG2
nOxzLjacdOtkbDfonYfAwQuzQqK55uT3bOFs+zlm8En3E4+4nnmAg3u77AdfN1xT
KyTwHivMhPrH/CJi5glSgyGvu5sfVDe9S2Lc4QBfEzh5Szaugc/pUQEoFtMpo0ZR
9ddcazLdCEJRGucMPWG6ClpVVYMU6g1ZQr0dAOmsuZn7w+rPzMM5gjx3EsCM6jhK
s692+mF4PNe5g3ZGLkEd0apgyevulRKv/zFbiNajRjrHjV6JdQ3T/VusuyC/R0Re
SBwG2DmnPMe8+v491Nvo7q2Z3MqQLqSNvk4kmiXtJKUyAsC6ufMQy61mXA+7PJAR
Rb1tm+szXymtzbnhVjGFv53QkwmiQB5ryOjjtR17e55wHuStGhfrZe64N8hIqM8M
iBJ5rZQS6WY4XMSPWFKwaW8WSXgnyEpVjoEtQcxm+cAImzeLALIydw2SGEC8/wNC
H4YZ4j0mwT02i22YG7+ciPYiyh9CnLryURez5NxKOVC0ePReEtPdu1K+4Zgw+y3/
zIayysLJ+JQ+SUN5ZuTCecjt5y2BxjHfrRwNSAqdyzdLCR4ZfUaRnavGA7FxvwUQ
nJXgYXP0JAqO+pA49oPpVHg1wJbbWxG23EHzBHpw/tMWpbGGHVQReTwv2j0J4UGS
QjqgRBdsQIEJMElKAjkt
=xmOP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
