Enforcing server preference for cipher suites

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Enforcing server preference for cipher suites

Harish Krishnan
Hi All,

 Need your expert input here.
Not sure what I am doing wrong,  but I cannot get this server preference cipher suites feature working.

My setup:
Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute)
Latest Java 1.8 build.

No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked.
As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC...

Regard
Harish Krishnan


Sent from my iPhone
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Harish,

On 10/9/17 12:31 PM, Harish Krishnan wrote:

> Need your expert input here. Not sure what I am doing wrong,  but I
> cannot get this server preference cipher suites feature working.
>
> My setup: Latest tomcat 7.x build (which supports
> useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
>
> No matter what value I set to this attribute (true OR false OR
> undefined which is by default), I always see the Clients preference
> picked. As an example, if clients order is ABCDEF, and servers
> order is DEFABC, no matter what value I set to this
> useServerCipherSuitesOrder attribute, always the order selected is
> ABC...

What exact version of Tomcat are you using?
What exact version of Java are you using?

Please post your <Connector> configuration, minus any secrets.

Do you know if you are using the BIO, NIO, or APR connector?

How are you determining client-preference?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
/xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
lPIZuxLUk5GBnA/vV8qtLIfK7cc=
=SuWg
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Harish Krishnan
Thanks for the response, Chris.

Below are my answers in order.
To keep the response as short as possible, i have not included the ciphers
list in the connector -

a) Tomcat 7.0.79 (will be updating to 7.0.82)
b) JRE 1.80_144
c) Our connector configuration is below.
d) We are using NIO.
e) I am using a simple java client that makes TLS connection to our tomcat
on below port. I am capturing the SSL handshake.
The way i tested the client preference is: Lets take the same example i
gave in my first email i.e. clients preference is ABCDEF and the tomcat
servers preference is DEFABC with *useServerCipherSuitesOrder* set to true.
During the 1st handshake connection, "A" cipher suite was chosen. I removed
"A" from my tomcat connector, restarted the service, and did the connection
test again.
"B" was chosen during this 2nd handshake. Same test was continued and
observed that CDEF were chosen next in order.
I am expecting DEFABC as the order of preference as per the
*useServerCipherSuitesOrder* setting.

Let me know if i am missing anything or is my understanding is incorrect.

<Connector
                id="orion.server.https"
                acceptCount="100"
                *useServerCipherSuitesOrder*="true"
                ciphers="we have around 20 cipher suites listed..."
                clientAuth="want"

compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
                compression="on"
                compressionMinSize="2048"
                disableUploadTimeout="true"
                enableLookups="false"
                keystoreFile="keystore/xyz"
                keystorePass=""
                maxConnections="500"
                maxHttpHeaderSize="8192"
                maxKeepAliveRequests="500"
                maxThreads="250"
                minSpareThreads="25"
                noCompressionUserAgents="gozilla, traviata"
                port="8443"
                processorCache="500"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                scheme="https"
                secure="true"
                server="Undefined"
                sessionCacheSize="400"
                SSLEnabled="true"
                sslProtocol="TLS"
                sslEnabledProtocols="TLSv1.1, TLSv1.2"
                truststoreFile="keystore/xyz"
                truststorePass=""
                truststoreType="jks"
                URIEncoding="UTF-8" />


On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Harish,
>
> On 10/9/17 12:31 PM, Harish Krishnan wrote:
> > Need your expert input here. Not sure what I am doing wrong,  but I
> > cannot get this server preference cipher suites feature working.
> >
> > My setup: Latest tomcat 7.x build (which supports
> > useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
> >
> > No matter what value I set to this attribute (true OR false OR
> > undefined which is by default), I always see the Clients preference
> > picked. As an example, if clients order is ABCDEF, and servers
> > order is DEFABC, no matter what value I set to this
> > useServerCipherSuitesOrder attribute, always the order selected is
> > ABC...
>
> What exact version of Tomcat are you using?
> What exact version of Java are you using?
>
> Please post your <Connector> configuration, minus any secrets.
>
> Do you know if you are using the BIO, NIO, or APR connector?
>
> How are you determining client-preference?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
> lPIZuxLUk5GBnA/vV8qtLIfK7cc=
> =SuWg
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

logo
Harish,


> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <[hidden email]>:
>
> Thanks for the response, Chris.
>
> Below are my answers in order.
> To keep the response as short as possible, i have not included the ciphers
> list in the connector -
>
> a) Tomcat 7.0.79 (will be updating to 7.0.82)
> b) JRE 1.80_144
> c) Our connector configuration is below.
> d) We are using NIO.
> e) I am using a simple java client that makes TLS connection to our tomcat
> on below port. I am capturing the SSL handshake.
> The way i tested the client preference is: Lets take the same example i
> gave in my first email i.e. clients preference is ABCDEF and the tomcat
> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true.
> During the 1st handshake connection, "A" cipher suite was chosen. I removed
> "A" from my tomcat connector, restarted the service, and did the connection
> test again.
> "B" was chosen during this 2nd handshake. Same test was continued and
> observed that CDEF were chosen next in order.
> I am expecting DEFABC as the order of preference as per the
> *useServerCipherSuitesOrder* setting.
>
I believe that there is a misunderstanding. Your simple client does not seem to handle the situation correctly (even not at all).
I think if you request cipher B you will get B.

Please check with a ssl-tool like sslyze or testssl.sh. If your site is available on the internet, you could try ssllabs.com.

The settings seem to be OK, unless I do not see an incorrect formatting on my phone.

HTH,

Peter

> Let me know if i am missing anything or is my understanding is incorrect.
>
> <Connector
>                id="orion.server.https"
>                acceptCount="100"
>                *useServerCipherSuitesOrder*="true"
>                ciphers="we have around 20 cipher suites listed..."
>                clientAuth="want"
>
> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
>                compression="on"
>                compressionMinSize="2048"
>                disableUploadTimeout="true"
>                enableLookups="false"
>                keystoreFile="keystore/xyz"
>                keystorePass=""
>                maxConnections="500"
>                maxHttpHeaderSize="8192"
>                maxKeepAliveRequests="500"
>                maxThreads="250"
>                minSpareThreads="25"
>                noCompressionUserAgents="gozilla, traviata"
>                port="8443"
>                processorCache="500"
>                protocol="org.apache.coyote.http11.Http11NioProtocol"
>                scheme="https"
>                secure="true"
>                server="Undefined"
>                sessionCacheSize="400"
>                SSLEnabled="true"
>                sslProtocol="TLS"
>                sslEnabledProtocols="TLSv1.1, TLSv1.2"
>                truststoreFile="keystore/xyz"
>                truststorePass=""
>                truststoreType="jks"
>                URIEncoding="UTF-8" />
>
>
> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz <
> [hidden email]> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Harish,
>>
>>> On 10/9/17 12:31 PM, Harish Krishnan wrote:
>>> Need your expert input here. Not sure what I am doing wrong,  but I
>>> cannot get this server preference cipher suites feature working.
>>>
>>> My setup: Latest tomcat 7.x build (which supports
>>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
>>>
>>> No matter what value I set to this attribute (true OR false OR
>>> undefined which is by default), I always see the Clients preference
>>> picked. As an example, if clients order is ABCDEF, and servers
>>> order is DEFABC, no matter what value I set to this
>>> useServerCipherSuitesOrder attribute, always the order selected is
>>> ABC...
>>
>> What exact version of Tomcat are you using?
>> What exact version of Java are you using?
>>
>> Please post your <Connector> configuration, minus any secrets.
>>
>> Do you know if you are using the BIO, NIO, or APR connector?
>>
>> How are you determining client-preference?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
>> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
>> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
>> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
>> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
>> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
>> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
>> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
>> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
>> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
>> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
>> lPIZuxLUk5GBnA/vV8qtLIfK7cc=
>> =SuWg
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Harish Krishnan
Thanks for the response, Peter.
The client is not doing anything other than a simple https connection to tomcat. The cipher sites used by the client is the default JRE 1.8 cipher suites.
I have not configured or requesting for any particular cipher suite when connecting to Tomcat. During the handshake, a particular cipher is automatically selected after the client server negotiation.
The question I have is, the cipher that is automatically selected, is in the client preference order and not tomcat order as per the attribute useServerCipherSuitesOrder setting.
Are we on same page?

Sent from my iPhone

> On Oct 9, 2017, at 11:51 PM, Peter Kreuser <[hidden email]> wrote:
>
> Harish,
>
>
>> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <[hidden email]>:
>>
>> Thanks for the response, Chris.
>>
>> Below are my answers in order.
>> To keep the response as short as possible, i have not included the ciphers
>> list in the connector -
>>
>> a) Tomcat 7.0.79 (will be updating to 7.0.82)
>> b) JRE 1.80_144
>> c) Our connector configuration is below.
>> d) We are using NIO.
>> e) I am using a simple java client that makes TLS connection to our tomcat
>> on below port. I am capturing the SSL handshake.
>> The way i tested the client preference is: Lets take the same example i
>> gave in my first email i.e. clients preference is ABCDEF and the tomcat
>> servers preference is DEFABC with *useServerCipherSuitesOrder* set to true.
>> During the 1st handshake connection, "A" cipher suite was chosen. I removed
>> "A" from my tomcat connector, restarted the service, and did the connection
>> test again.
>> "B" was chosen during this 2nd handshake. Same test was continued and
>> observed that CDEF were chosen next in order.
>> I am expecting DEFABC as the order of preference as per the
>> *useServerCipherSuitesOrder* setting.
> I believe that there is a misunderstanding. Your simple client does not seem to handle the situation correctly (even not at all).
> I think if you request cipher B you will get B.
>
> Please check with a ssl-tool like sslyze or testssl.sh. If your site is available on the internet, you could try ssllabs.com.
>
> The settings seem to be OK, unless I do not see an incorrect formatting on my phone.
>
> HTH,
>
> Peter
>
>> Let me know if i am missing anything or is my understanding is incorrect.
>>
>> <Connector
>>               id="orion.server.https"
>>               acceptCount="100"
>>               *useServerCipherSuitesOrder*="true"
>>               ciphers="we have around 20 cipher suites listed..."
>>               clientAuth="want"
>>
>> compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
>>               compression="on"
>>               compressionMinSize="2048"
>>               disableUploadTimeout="true"
>>               enableLookups="false"
>>               keystoreFile="keystore/xyz"
>>               keystorePass=""
>>               maxConnections="500"
>>               maxHttpHeaderSize="8192"
>>               maxKeepAliveRequests="500"
>>               maxThreads="250"
>>               minSpareThreads="25"
>>               noCompressionUserAgents="gozilla, traviata"
>>               port="8443"
>>               processorCache="500"
>>               protocol="org.apache.coyote.http11.Http11NioProtocol"
>>               scheme="https"
>>               secure="true"
>>               server="Undefined"
>>               sessionCacheSize="400"
>>               SSLEnabled="true"
>>               sslProtocol="TLS"
>>               sslEnabledProtocols="TLSv1.1, TLSv1.2"
>>               truststoreFile="keystore/xyz"
>>               truststorePass=""
>>               truststoreType="jks"
>>               URIEncoding="UTF-8" />
>>
>>
>> On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz <
>> [hidden email]> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Harish,
>>>
>>>> On 10/9/17 12:31 PM, Harish Krishnan wrote:
>>>> Need your expert input here. Not sure what I am doing wrong,  but I
>>>> cannot get this server preference cipher suites feature working.
>>>>
>>>> My setup: Latest tomcat 7.x build (which supports
>>>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
>>>>
>>>> No matter what value I set to this attribute (true OR false OR
>>>> undefined which is by default), I always see the Clients preference
>>>> picked. As an example, if clients order is ABCDEF, and servers
>>>> order is DEFABC, no matter what value I set to this
>>>> useServerCipherSuitesOrder attribute, always the order selected is
>>>> ABC...
>>>
>>> What exact version of Tomcat are you using?
>>> What exact version of Java are you using?
>>>
>>> Please post your <Connector> configuration, minus any secrets.
>>>
>>> Do you know if you are using the BIO, NIO, or APR connector?
>>>
>>> How are you determining client-preference?
>>>
>>> - -chris
>>> -----BEGIN PGP SIGNATURE-----
>>> Comment: GPGTools - http://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
>>> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
>>> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
>>> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
>>> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
>>> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
>>> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
>>> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
>>> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
>>> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
>>> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
>>> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
>>> lPIZuxLUk5GBnA/vV8qtLIfK7cc=
>>> =SuWg
>>> -----END PGP SIGNATURE-----
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Konstantin Kolinko
In reply to this post by Harish Krishnan
2017-10-09 19:31 GMT+03:00 Harish Krishnan <[hidden email]>:

> Hi All,
>
>  Need your expert input here.
> Not sure what I am doing wrong,  but I cannot get this server preference cipher suites feature working.
>
> My setup:
> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute)
> Latest Java 1.8 build.
>
> No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked.
> As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC...

It should work when running on Java 8.

Maybe try debugging
e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat
setUseServerCipherSuitesOrder()

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Harish Krishnan
Thanks for the response, Konstantin.
If debugging the tomcat code is the only option, then I will plan to do it sometime soon as it is bit additional work for me.
We just use the tomcat binaries In our application.
Meanwhile, if anybody have any other suggestions, that is greatly appreciated.

Sent from my iPhone

> On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <[hidden email]> wrote:
>
> 2017-10-09 19:31 GMT+03:00 Harish Krishnan <[hidden email]>:
>> Hi All,
>>
>> Need your expert input here.
>> Not sure what I am doing wrong,  but I cannot get this server preference cipher suites feature working.
>>
>> My setup:
>> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute)
>> Latest Java 1.8 build.
>>
>> No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked.
>> As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC...
>
> It should work when running on Java 8.
>
> Maybe try debugging
> e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat
> setUseServerCipherSuitesOrder()
>
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Harish Krishnan
In reply to this post by Konstantin Kolinko
Thank you all for the help and responses.
We figured out what the problem was. What I did was correct in terms of the attribute setting, the tomcat version used and the JRE version used.
However, I did not realize our JRE is running in FIPs mode using RSA BSAFE as the crypto provider.
When I tested and ran under standard JRE, then the server cipher suite order was preferred.
Now I will have to look into what RSA library is doing here. Probably they are setting that Java API too which could be overwriting our setting in tomcat.
Anyways, that's our problem to look into.
Thanks again for the timely response and help!

Sent from my iPhone

> On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <[hidden email]> wrote:
>
> 2017-10-09 19:31 GMT+03:00 Harish Krishnan <[hidden email]>:
>> Hi All,
>>
>> Need your expert input here.
>> Not sure what I am doing wrong,  but I cannot get this server preference cipher suites feature working.
>>
>> My setup:
>> Latest tomcat 7.x build (which supports useServerCipherSuitesOrder attribute)
>> Latest Java 1.8 build.
>>
>> No matter what value I set to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked.
>> As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC...
>
> It should work when running on Java 8.
>
> Maybe try debugging
> e.g. with breakpoint in org.apache.tomcat.util.compat.Jre8Compat
> setUseServerCipherSuitesOrder()
>
> https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Harish,

On 10/12/17 10:55 AM, Harish Krishnan wrote:
> Thank you all for the help and responses. We figured out what the
> problem was. What I did was correct in terms of the attribute
> setting, the tomcat version used and the JRE version used. However,
> I did not realize our JRE is running in FIPs mode using RSA BSAFE
> as the crypto provider.
FIPS strikes again!

In this case, it's not really FIPS's fault, it's RSA's BSAFE. Anyone
using RSA's BSAFE these days ought to lose their job. Plow that thing
under with salt and use a trusted crypto provider (lol, Oracle, I guess)
.

> When I tested and ran under standard JRE, then the server cipher
> suite order was preferred.
You are probably using an ancient version of BSAFE. Your random
numbers are probably all ones. Seriously, you need to dump BSAFE.

> Now I will have to look into what RSA library is doing here.

Leaking like a sieve, probably.

> Probably they are setting that Java API too which could be
> overwriting our setting in tomcat.

If that crypto provider is in use, then it'll likely affect the whole
JVM. It just occurred to me that Tomcat doesn't have a setting for the
crypto provider to use for TLS itself... only for the various
"stores", etc. We probably ought to add that, and then you could
choose "JSSE" as your provider and avoid BSAFE.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngLCgACgkQHPApP6U8
pFjanhAAkTNcGk5/X6b9aK2gYcSDdTjkE879XA77KGYwWDF2L01jtSdF7ejnCcuN
4lfivY/V5TaiKv0EZrU1YVC2psBZVK5CjfsCIfUZe5gOmqRRtxm8vRARULOY31oQ
tm4Hf3PHVXuKa/ZBQutLFOolJo7IhaYP3CtBqE+i7OWSlyy0dsqdqO40z9+vzt2n
DBiMRXl0Y2HGCeRsm0owdsFFDqA/j0xcCTBjgckgR6TcnRPc926FZVmr+q53DEQ1
rYVo3Kfum7AnLP3y4rVT0SsxavjI48aXqCLKcM9RzRJ//D+p9teOeiHiUtu4CzHY
aQmkV22N6LC3M5uBwNNU1xXr62SNiarqY7euurPhPcOkbQSi4ckfknh48JzenQ41
Ws7XvuLGOmTcLOv+rsKYjBd5s6IxuBH/+k5MfttPQaZ8mHAieMjEnVszmjZon2rE
Mqqcd+C5Z0q2/X9wUAwNAD3muQTzx2A8C3uucJHVygvwNy76UCUCoyLakQ98/8WL
3SKN2l3EddObdi4OUrfga80ZTLf0AnBoflmKz+2UAbP3Xit++XHBs5dBgvN51Tji
d6IdBRJpSq/njZmnSGQYJ/4o07v31YgLjh+xZTS+8wxm5H3C4V6/IuWlsnYPZWi5
YQRe0GPZw54IuLs9WZG6AbNcAzhGOW+OBIMGbzSKQukeLAVpjws=
=KUgn
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Enforcing server preference for cipher suites

Harish Krishnan
Hi Chris, thanks for sharing your opinion.
Just my last comment here to close this thread.
BSAFE is anyways EOL now (or will be soon). We are already working on a replacement. Currently we are using the latest and greatest version of BSAFE with extended support.
Once again, thank you all for the great support.
I have another query (different topic) coming shortly...:-)

Sent from my iPhone

> On Oct 12, 2017, at 7:59 PM, Christopher Schultz <[hidden email]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Harish,
>
>> On 10/12/17 10:55 AM, Harish Krishnan wrote:
>> Thank you all for the help and responses. We figured out what the
>> problem was. What I did was correct in terms of the attribute
>> setting, the tomcat version used and the JRE version used. However,
>> I did not realize our JRE is running in FIPs mode using RSA BSAFE
>> as the crypto provider.
> FIPS strikes again!
>
> In this case, it's not really FIPS's fault, it's RSA's BSAFE. Anyone
> using RSA's BSAFE these days ought to lose their job. Plow that thing
> under with salt and use a trusted crypto provider (lol, Oracle, I guess)
> .
>
>> When I tested and ran under standard JRE, then the server cipher
>> suite order was preferred.
> You are probably using an ancient version of BSAFE. Your random
> numbers are probably all ones. Seriously, you need to dump BSAFE.
>
>> Now I will have to look into what RSA library is doing here.
>
> Leaking like a sieve, probably.
>
>> Probably they are setting that Java API too which could be
>> overwriting our setting in tomcat.
>
> If that crypto provider is in use, then it'll likely affect the whole
> JVM. It just occurred to me that Tomcat doesn't have a setting for the
> crypto provider to use for TLS itself... only for the various
> "stores", etc. We probably ought to add that, and then you could
> choose "JSSE" as your provider and avoid BSAFE.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlngLCgACgkQHPApP6U8
> pFjanhAAkTNcGk5/X6b9aK2gYcSDdTjkE879XA77KGYwWDF2L01jtSdF7ejnCcuN
> 4lfivY/V5TaiKv0EZrU1YVC2psBZVK5CjfsCIfUZe5gOmqRRtxm8vRARULOY31oQ
> tm4Hf3PHVXuKa/ZBQutLFOolJo7IhaYP3CtBqE+i7OWSlyy0dsqdqO40z9+vzt2n
> DBiMRXl0Y2HGCeRsm0owdsFFDqA/j0xcCTBjgckgR6TcnRPc926FZVmr+q53DEQ1
> rYVo3Kfum7AnLP3y4rVT0SsxavjI48aXqCLKcM9RzRJ//D+p9teOeiHiUtu4CzHY
> aQmkV22N6LC3M5uBwNNU1xXr62SNiarqY7euurPhPcOkbQSi4ckfknh48JzenQ41
> Ws7XvuLGOmTcLOv+rsKYjBd5s6IxuBH/+k5MfttPQaZ8mHAieMjEnVszmjZon2rE
> Mqqcd+C5Z0q2/X9wUAwNAD3muQTzx2A8C3uucJHVygvwNy76UCUCoyLakQ98/8WL
> 3SKN2l3EddObdi4OUrfga80ZTLf0AnBoflmKz+2UAbP3Xit++XHBs5dBgvN51Tji
> d6IdBRJpSq/njZmnSGQYJ/4o07v31YgLjh+xZTS+8wxm5H3C4V6/IuWlsnYPZWi5
> YQRe0GPZw54IuLs9WZG6AbNcAzhGOW+OBIMGbzSKQukeLAVpjws=
> =KUgn
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]