I have configured 4 ciphers in server.xml file as following but ONLY 2 RSA are working and ECDHE_ECDSA does not work. I have scan tomcat with multiple tools only RSA are showing in all.
How can I make TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 work?
<Connector port="${tomcat.secure.port}" protocol="org.apache.coyote.http11.Http11NioProtocol"
address="${tomcat.address}" maxThreads="150" SSLEnabled="true"
scheme="https" secure="true" maxSwallowSize="-1" maxPostSize="-1">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" readTimeout="50000" streamReadTimeout ="-1" streamWriteTimeout="-1"
overheadContinuationThreshold="0" overheadDataThreshold="0" overheadWindowUpdateThreshold="0"/>
<SSLHostConfig protocols="TLSv1.2+TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateKeystoreFile="/tmp/tomcat_keystore.jks"
certificateKeystorePassword="${keystore.password}"
certificateKeyPassword="${key.password}"
certificateKeystoreType="PKCS12"
certificateKeystoreProvider="SUN"/>
</SSLHostConfig>
</Connector>
APACHE TOMCAT/9.0.53
java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.14.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.14.04, mixed mode, sharing)
Scan Result:
nmap --script ssl-enum-ciphers -p 443 10.40.43.26
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 18:08 PST
Nmap scan report for vd (10.40.43.26)
Host is up (0.021s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
sslscan 10.40.43.26:443
Version: 2.0.11-static
OpenSSL 1.1.1m 14 Dec 2021
Connected to 10.40.43.26
Testing SSL server 10.40.43.26 on port 443 using SNI name 10.40.43.26
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.