All geek questions in one place

Tomcat: TLSv1.2 with strong ciphers not working

I installed Tomcat-7, configured TLSv1.2 support on port 8443.
My connector configuration:
protocol = "org.apache.coyote.http11.Http11NioProtocol" SSLEnabled = "true" schem = "https" secure = "true" sslProtocol = " TLSv1.2 "sslEnabledProtocols =" TLSv1.2 "

Then I set up a list of strong ciphers that I wanted to use. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_A4_254_wha_sha_sha_sha_sha_sha_shita

As I already read, Tomcat can use Java JSSE or OpenSSL
JSSE protocol = "org.apache.coyote.http11.Http11NioProtocol"
OpenSSL protocol = "org.apache.coyote.http11.Http11AprProtocol"
My tomcat connector is configured with JSSE protocol.

It works if I add the following ciphers with SHA1. (No GCM with SHA1) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

I downloaded Java cryptographic extension policy files. Tried both Java 7 and Java 8.

Before installing cryptographic extensions, I received the following error when starting Tomcat

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 3:57:43 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory     getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine :     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Java 7, GCM-SHA384 CBC-SHA384 : http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

:

INFO: Initializing ProtocolHandler ["http-nio-8443"]
mai 20, 2014 4:21:11 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getEnableableCiphers
WARNING: None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA584,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA584,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA584

, Tomcat/Java.

? Chromium Firefox. , Chromium SHA256, SHA384 AES-GCM.

+4
4

, Chromium, Firefox .

/ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SHA384 AES_256_GCM

https://www.ssllabs.com/ssltest/viewMyClient.html
Cipher Suites ( )
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_RSA_WITH_RC4_128_MD5 (0x4)

+3

, , - , , .

SunJSSE ( JSSE Oracle JRE) GCM Java 7. Java 8.

sslProtocol="TLSv1.2".

+2

I am a web developer and am facing a similar issue starting an application with versions of Tomcat 7 and Java7, and found a fix.

adding the property below in the server.xml tomcat file to

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,     TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
+1
source

In Firefox 37.0.2, the list of supported ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
0
source

Source: https://habr.com/ru/post/1541288/

More articles:


All Articles