L'attivazione di cifratura forte in Tomcat 5
Domanda
Sto cercando di affinare la suite di cifre che il mio webapp permette.
In server.xml di Tomcat ho il seguente connettore definito:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="3000" minSpareThreads="250" maxSpareThreads="500"
enableLookups="false" disableUploadTimeout="true"
acceptCount="1000" connectionTimeout="40000"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
ADH-AES256-SHA, AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA"
keystoreFile="REDACTED" keystorePass="REDACTED" />
Il server inizia bene. Tutto funziona. Tuttavia, quando ho eseguito sslscan sul server, le cifre 256 bit mostrano come non essere supportate.
(Abbreviated, sorted output)
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Inoltre, la scansione mostra che i cifrari server preferiti sono "SSLv3 128 bit DHE-RSA-AES128-sha" e "TLSv1 128 bit DHE-RSA-AES128-sha". Io sto bene se Tomcat preferirebbe lavorare a 128 bit cifratura, ma vorrei servire tutti i clienti severe che capita su nelle vicinanze.
Che cosa ho trascurato?
Soluzione
Sembra che si sta utilizzando nomi sslscan, che JSSE non capisce. Ecco le cifre supportate da Sun JSSE,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow