views:

641

answers:

1

Hello.

I am attempting to refine the suite of ciphers that my webapp allows.

In Tomcat's server.xml I have the following connector defined:

<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="3000" minSpareThreads="250" maxSpareThreads="500"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="1000" connectionTimeout="40000"
           scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
           ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
     TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
     SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
     ADH-AES256-SHA, AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA"
           keystoreFile="REDACTED" keystorePass="REDACTED" />

The server starts just fine. Everything works. However, when I run sslscan on the server, the 256 bit ciphers show as not being supported.

(Abbreviated, sorted output)
Accepted  SSLv3  128 bits  AES128-SHA
Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
Accepted  SSLv3  128 bits  RC4-MD5
Accepted  SSLv3  128 bits  RC4-SHA
Accepted  SSLv3  168 bits  DES-CBC3-SHA
Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Accepted  TLSv1  128 bits  AES128-SHA
Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
Accepted  TLSv1  128 bits  RC4-MD5
Accepted  TLSv1  128 bits  RC4-SHA
Accepted  TLSv1  168 bits  DES-CBC3-SHA
Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
Rejected  SSLv3  256 bits  ADH-AES256-SHA
Rejected  SSLv3  256 bits  AES256-SHA
Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
Rejected  TLSv1  256 bits  ADH-AES256-SHA
Rejected  TLSv1  256 bits  AES256-SHA
Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA

Furthermore, the scan shows that the preferred Server ciphers are "SSLv3 128 bits DHE-RSA-AES128-SHA" and "TLSv1 128 bits DHE-RSA-AES128-SHA". I'm fine if Tomcat would prefer to work at 128 bit ciphers, but I would like to serve any strict clients who happen on by.

What have I overlooked?

+1  A: 

Looks like you are using sslscan names, which JSSE doesn't understand. Here are the ciphers supported by Sun JSSE,

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
ZZ Coder
That did it. Thanks. Also, I found a more complete list at http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
Omniwombat