WARNING – None of the Ciphers Specified Are Supported by the SSL Engine

ssltlstomcattomcat7

I have a working web service running through Apache Tomcat 7 with the following connector element in server.xml:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" 
 SSLEnabled="true" 
 maxThreads="150"
 scheme="https" 
 secure="true" 
 clientAuth="false"  
 keystoreFile="C:\Java\myhost.keystore" 
 keystorePass="importkey" 
 sslProtocol="TLS"
/>

This has been working fine for years, but now a new Logjam security threat emerged, and I am trying to secure my web service, using the Guide to Deploying Diffie-Hellman for TLS instructions.

So, I added the following line to the <connector> element:

ciphers="ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256,
ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384,
DHE-RSA-AES128-GCM-SHA256,
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA,
ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA,
DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA,
DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384,
AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA,
DES-CBC3-SHA"

Tomcat restarts fine, but I am no longer able to connect to my web service.

Upon examining the log, I noticed this line:

WARNING: None of the ciphers specified are supported by the SSL engine
: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256,
ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384,
DHE-RSA-AES128-GCM-SHA256,
DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA,
ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA,
DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA,
DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384,
AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA,
DES-CBC3-SHA

What am I missing in trying to get Tomcat use only these ciphers?

How do I make them supported by the SSL engine?

Best Answer

As explained here you may have to set the ciphers list like this :

sslProtocols = "TLS"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_25‌6_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

The first part, ECDHE, specifies what key exchange algorithm should be used. [...]

Next up is the authentication algorithm, RSA. [...]

The bulk cipher, AES128-GCM is the main encryption algorithm and used to encrypt all the traffic. [...]

The last part, SHA256, identifies the message digest in use, which verifies the authenticity of messages.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Ssl – Untrusted certificate warning on replacement SSL certificate

The problem ended up being that I when I entered the domain name for the Distinguished Name information while generating the key, I used an asterisk, e.g.: *.myserver.com, thinking this would cover me for myserver.com, www.myserver.com, etc. However, the asterisk is only appropriate for "wildcard" certificates, which I apparently don't have.

So I regenerated the key using just "myserver.com", and it worked just fine. And for some reason it still works for both "myserver.com" and "www.myserver.com".

Incidentally, this site was very helpful to me in diagnosing this problem:

http://www.sslshopper.com/ssl-checker.html

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Ssl – Untrusted certificate warning on replacement SSL certificate

Related Topic