Thanks for the response, Peter. The client is not doing anything other than a simple https connection to tomcat. The cipher sites used by the client is the default JRE 1.8 cipher suites. I have not configured or requesting for any particular cipher suite when connecting to Tomcat. During the handshake, a particular cipher is automatically selected after the client server negotiation. The question I have is, the cipher that is automatically selected, is in the client preference order and not tomcat order as per the attribute useServerCipherSuitesOrder setting. Are we on same page?
Sent from my iPhone > On Oct 9, 2017, at 11:51 PM, Peter Kreuser <l...@kreuser.name> wrote: > > Harish, > > >> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <harish....@gmail.com>: >> >> Thanks for the response, Chris. >> >> Below are my answers in order. >> To keep the response as short as possible, i have not included the ciphers >> list in the connector - >> >> a) Tomcat 7.0.79 (will be updating to 7.0.82) >> b) JRE 1.80_144 >> c) Our connector configuration is below. >> d) We are using NIO. >> e) I am using a simple java client that makes TLS connection to our tomcat >> on below port. I am capturing the SSL handshake. >> The way i tested the client preference is: Lets take the same example i >> gave in my first email i.e. clients preference is ABCDEF and the tomcat >> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. >> During the 1st handshake connection, "A" cipher suite was chosen. I removed >> "A" from my tomcat connector, restarted the service, and did the connection >> test again. >> "B" was chosen during this 2nd handshake. Same test was continued and >> observed that CDEF were chosen next in order. >> I am expecting DEFABC as the order of preference as per the >> *useServerCipherSuitesOrder* setting. > I believe that there is a misunderstanding. Your simple client does not seem > to handle the situation correctly (even not at all). > I think if you request cipher B you will get B. > > Please check with a ssl-tool like sslyze or testssl.sh. If your site is > available on the internet, you could try ssllabs.com. > > The settings seem to be OK, unless I do not see an incorrect formatting on my > phone. > > HTH, > > Peter > >> Let me know if i am missing anything or is my understanding is incorrect. >> >> <Connector >> id="orion.server.https" >> acceptCount="100" >> *useServerCipherSuitesOrder*="true" >> ciphers="we have around 20 cipher suites listed..." >> clientAuth="want" >> >> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" >> compression="on" >> compressionMinSize="2048" >> disableUploadTimeout="true" >> enableLookups="false" >> keystoreFile="keystore/xyz" >> keystorePass="" >> maxConnections="500" >> maxHttpHeaderSize="8192" >> maxKeepAliveRequests="500" >> maxThreads="250" >> minSpareThreads="25" >> noCompressionUserAgents="gozilla, traviata" >> port="8443" >> processorCache="500" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> scheme="https" >> secure="true" >> server="Undefined" >> sessionCacheSize="400" >> SSLEnabled="true" >> sslProtocol="TLS" >> sslEnabledProtocols="TLSv1.1, TLSv1.2" >> truststoreFile="keystore/xyz" >> truststorePass="" >> truststoreType="jks" >> URIEncoding="UTF-8" /> >> >> >> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Harish, >>> >>>> On 10/9/17 12:31 PM, Harish Krishnan wrote: >>>> Need your expert input here. Not sure what I am doing wrong, but I >>>> cannot get this server preference cipher suites feature working. >>>> >>>> My setup: Latest tomcat 7.x build (which supports >>>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build. >>>> >>>> No matter what value I set to this attribute (true OR false OR >>>> undefined which is by default), I always see the Clients preference >>>> picked. As an example, if clients order is ABCDEF, and servers >>>> order is DEFABC, no matter what value I set to this >>>> useServerCipherSuitesOrder attribute, always the order selected is >>>> ABC... >>> >>> What exact version of Tomcat are you using? >>> What exact version of Java are you using? >>> >>> Please post your <Connector> configuration, minus any secrets. >>> >>> Do you know if you are using the BIO, NIO, or APR connector? >>> >>> How are you determining client-preference? >>> >>> - -chris >>> -----BEGIN PGP SIGNATURE----- >>> Comment: GPGTools - http://gpgtools.org >>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >>> >>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo >>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C >>> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK >>> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p >>> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s >>> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If >>> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0 >>> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR >>> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O >>> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R >>> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG >>> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg >>> lPIZuxLUk5GBnA/vV8qtLIfK7cc= >>> =SuWg >>> -----END PGP SIGNATURE----- >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
