Todd
>> Peter Kreuser wrote
>>>
>>> Can you provide a clean configuration that exhibits this behavior?
>>>
>>> What are you using to test the effective configuration?
>>
>> Another question: are you sure that you hit the Connector that you
>> configure? Tomcat should be reasonably configured in defaults with a
>> current JDK...
>>
>> 8443 or the like are not scanned with ssllabs! So it may as well hit an
>> apache on the same machine!
>>
>> Can you show detail on what ssllabs is complaining about?
>>
>> Best regards
>>
>> Peter
>
> Thank you Peter and Chris.
>
> I'm utilizing sslabs to check as well as just going to the site with Chrome
> and looking in developer tools to see the protocol that was selected.
>
> I understand that 8443 is not a normal port, I'm using ipchains to redirect
> traffic from 443 to 8443. I believe that traffic is specifically hitting
> this webserver, as changes such as adding SSL or removing TLS 1.0 in the
> configuration file take immediate effect after restarting the Tomcat
> service.
>
> My current SSLHostConfig looks like this:
>
> <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
> honorCipherOrder="true"
> ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_GCM_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_3DES_EDE_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
> <Certificate certificateKeystoreFile="...."
> certificateKeystorePassword="...."
> type="RSA" />
> </SSLHostConfig>
>
> But ssllabs reports the following ciphers:
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
> None of these ciphers are included in my list, and changes to my cipher list
> has no effect at all on what is displayed by ssllabs.
>
> I'm stuck, so any ideas or guidance is appreciated, thank you!
> -Todd
>
Tomcat 8.5.14
OpenJDK on debian stretch 1.8.0_131
Using your conf I get the following - which is exactly what you ask for:
A- with:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH sect571r1 (eq. 15360 bits
RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH sect571r1 (eq. 15360 bits
RSA) FS 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
These include the numbers Chris is referring to.
- YIKES, do you need 3DES for IE8? Put that last with honorCipherOrder=true
then SSLlabs will not punish you in the ranking.
- the cipher list is not optimal - as you are ranked A- with “ The server does
not support Forward Secrecy with the reference browsers. Grade reduced to A-. “
but we’ll work on that later
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true">
<SSLHostConfig
hostName="logopk.no-ip.com"
honorCipherOrder="true"
certificateVerification="false"
protocols="TLSv1+TLSv1.1+TLSv1.2"
ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
<Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
It would be interesting to get more details on the connector and the underlying
java version. We can see your SSL provider in the Connector...
BTW I do a NAT port forwarding from 443 to 8443.
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
