服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 连接使用128进行encryption和authentication。期望256
Intereting Posts
从EC2到外部networking服务的静态IP HAproxy – SSL和虚拟主机问题 chmod一个文件夹永久 eth0的tcppreplay吞吐量远低于(iperf确认)max EC2图像开始 Exchange 2010中的Get-ExchangeServer不会在输出中返回Exchange 2013服务器 AD Server 2012 – 创build只能添加新用户的pipe理员帐户 SQL Server 2005的Windows组权限覆盖单个服务器login 如何将域名redirect到新的服务器? firewalld:麻烦转发端口25而其他端口转发就好,“富规则”日志显示NO条目 当我有uWSGI时,为什么需要nginx? 在Apache服务器上处理来自特定IP的静态内容的处理时间非常长(> 300s) 添加第二个Ubuntu Ubuntu会导致networking重启失败 将subversion升级到1.8.5后无法启动apache2.4 将旧版过期的RHEL 3.4.6服务器升级到现代CentOS / Scientific Linux

连接使用128进行encryption和authentication。期望256

我有两个服务器,我一直在努力configuration使用现代密码。 一个正在工作,另一个似乎报告结果不一。 我不确定问题是什么。

具体来说,当我检查ServerA我得到:

连接使用AES_256_CBCencryption,使用HMAC-SHA1进行消息authentication,使用DHE_RSA作为密钥交换机制

但是当我检查ServerB时,我得到:

连接使用AES_128_GCM进行encryption,并使用DHE_RSA作为密钥交换机制

ServerA – Linux 

tomcat 7.0.37 java 1.7_0_17

ServerB – Linux 

 tomcat 7.0.54 java 1.8.0_31-b13

我已经使用这里指定的密码进行了configuration:

https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/

工作的ServerA具有以下server.xml def: 

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="conf/keystore.jks" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

非工作的ServerB具有以下server.xml def 

 <Connector port="8443" scheme="https" secure="true" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="TLS" URIEncoding="UTF-8" compression="on" keyPass="changeit" keyAlias="tomcat" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript,application/json" useServerCipherSuitesOrder="true" server="WCC" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" />

在这两种情况下,我都为每个Java(7&8)版本部署了JCE Unlimited Strength Jurisdiction策略文件。 我已经把这些文件放在java lib / security目录下。

openssl似乎build议ServerB提供256位encryption: 

 $ openssl s_client -connect serverb:8443 -cipher "EDH" CONNECTED(00000003) depth=0 O = CA, OU = WCC, CN = serverb verify error:num=18:self signed certificate verify return:1 depth=0 O = CA, OU = WCC, CN = serverb verify return:1 --- Certificate chain 0 s:/O=CA/OU=WCC/CN=serverb i:/O=CA/OU=WCC/CN=serverb --- Server certificate -----BEGIN CERTIFICATE----- MIIB8jCCAVugAwIBAgIEcB/8/TANBgkqhkiG9w0BAQsFADAsMQswCQYDVQQKEwJD QTEMMAoGA1UECxMDV0NDMQ8wDQYDVQQDEwZvYmVyeW4wHhcNMTUwODE0MDcwNDIx WhcNMjUwODEzMDcwNDIxWjAsMQswCQYDVQQKEwJDQTEMMAoGA1UECxMDV0NDMQ8w DQYDVQQDEwZvYmVyeW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEPswDo 3vBCx5yFW+xWkpOlX0BBp5BNhe7+9kLK94+QUfm4oa7ciNtnxQoYrcLKgq+6kNuf +Ql5nld5zZTvJzZsR/TSnXxwpih721t3/evKhCysbgr4XhrYP7dAWNwuLHqX7ZF+ UlC6dggumhHLOWuKRK5JbSqw43ERAtrYtvxhAgMBAAGjITAfMB0GA1UdDgQWBBRv /UnqlwIyPab4qqacR2WTigCxajANBgkqhkiG9w0BAQsFAAOBgQAhbm3TeKK+SlSe EdP6IFo8fVzCX/Ns11FS4iRvy1jpRAFlKYskDUAF2Mtss6Pike9CD2PxQXIb+Cxb fvQwK0Cx1KT2/zS9Iy/NUg3rE/L7qTu1lcTxeOV4w7HNivHn1tde3LlLodklAu53 WDy69d351LmoP7K7N9zKf/draeiQfQ== -----END CERTIFICATE----- subject=/O=CA/OU=WCC/CN=serverb issuer=/O=CA/OU=WCC/CN=serverb --- No client certificate CA names sent --- SSL handshake has read 1563 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 55D8C7DED457280A75F58D473882A9AC2162655E64DB77BA0AC09DDF69870693 Session-ID-ctx: Master-Key: 0B0C8BAD22222A3E8B071FF235DF205F0DA6A7BBC800447F8DAFDAFE4141873837A89D51A92181478BC53038094475DD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1440270308 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---

任何想法,为什么我不能得到serverB使用256位encryption?

我发现这似乎解决了我的密码select问题。

https://stackoverflow.com/questions/10295446/how-does-java-picks-the-strongest-cipher-to-use-in-jsse

我想我将不得不等待,直到我实现了Tomcat 8,看看这个设置有什么作用:useServerCipherSuitesOrder =“true”