On 11/05/18 03:35, Baron Fujimoto wrote: > Yes, the host is behind an F5 load balacer, but AFAIK it should be passing > all the TLS/SSL directly to the real host to handle.
You don't say which Tomcat version is being used. I assume one of the 8.5.x versions since the 8.5.x docs are referenced. 8.5.x should get an A from SSLLabs with the default configuration: https://wiki.apache.org/tomcat/Security/Ciphers I recently updated that page but 8.5.x was getting a A two years ago as well. Are you sure Java 8 is being used? Mark > > On Thu, May 10, 2018 at 11:23:44PM +0000, Scott Hoenigman wrote: >> Are you using a load balancer? >> >> >> >> Sent from my T-Mobile 4G LTE Device >> >> >> -------- Original message -------- >> From: David Wall <d.w...@computer.org> >> Date: 5/10/18 6:15 PM (GMT-06:00) >> To: users@tomcat.apache.org >> Subject: Re: configuring ciphers for SSL Labs server test >> >> We're doing good with this: >> >> <SSLHostConfig certificateVerification="none" >> protocols="TLSv1.1, TLSv1.2" honorCipherOrder="true" >> ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" >> > >> >> >> On 5/10/18 2:45 PM, Baron Fujimoto wrote: >>> I'm trying to improve our grade on SSL Labs SSL server test[1] for our >>> Tomcat configuraton. Currently, their report caps our grade at B because, >>> "This server does not support Authenticated encryption (AEAD) cipher >>> suites". They report that we support the following cipher suites: >>> >>> # TLS 1.2 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> >>> # TLS 1.1 >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> >>> I'm not sure why SSL Labs is seeing such a limited set of ciphers. We are >>> using Java 1.8.0_162, and I believe we have the Java Cryptography >>> Extension (JCE) properly installed. I have the following connector >>> defined (this version explicitly lists ciphers I think should satisfy the >>> AEAD cipher requirement[2]): >>> >>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" >>> address="0.0.0.0" >>> port="8443" >>> maxThreads="500" >>> maxPostSize="100000" >>> scheme="https" secure="true" >>> defaultSSLHostConfigName="foo.example.edu" >>> SSLEnabled="true" > >>> <SSLHostConfig hostName="foo.example.edu" >>> protocols="TLSv1.1+TLSv1.2+TLS1.3" >>> certificateVerification="none" >>> honorCipherOrder="true" >>> >>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK >>> :!TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA >>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA >>> :!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >>> :!TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >>> :!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 >>> :!TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >>> :!TLS_RSA_WITH_AES_128_CBC_SHA >>> :!TLS_RSA_WITH_AES_256_CBC_SHA >>> :!TLS_RSA_WITH_AES_128_CBC_SHA256 >>> :!TLS_RSA_WITH_AES_256_CBC_SHA256 >>> :!TLS_RSA_WITH_AES_128_GCM_SHA256 >>> :!TLS_RSA_WITH_AES_256_GCM_SHA384 >>> :!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> :!TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >>> :TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 >>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >>> :TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 >>> :TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 >>> :TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >>> :TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >>> :TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >>> :TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 >>> :TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 >>> :TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA >>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA >>> :TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >>> :TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" > >>> <Certificate certificateKeystoreType="pkcs12" >>> >>> certificateKeystoreFile="/home/cas/keystore/foo.pkcs12.keystore" > >>> </Certificate> >>> </SSLHostConfig> >>> </Connector> >>> >>> I've mapped the cipher suite names using the OpenSSL cipher suite name >>> list[3]. I originally started with >>> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK", but had the same >>> result, so subsequently tried adding the specific ciphers shown above. The >>> tomcat SSLHostConfig docs state that either the OpenSSL or JSSE cipher >>> names may be used[4]. >>> >>> Any suggestions on what I may be doing wrong or for further troubleshooting? >>> >>> References: >>> [1] <https://www.ssllabs.com/ssltest/analyze.html> >>> [2] >>> <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites> >>> [3] >>> <https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER-SUITE-NAMES> >>> [4] >>> <https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
