HTTPS: No ciphers offerred?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

HTTPS: No ciphers offerred?

Douglas Landau
Greets,

I've enabled HTTPS on my XWiki.  But when I surf there, I get a failure with no explanation from Chrome, and this from IE:
--------------------------------------
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://pwswiki10.westmarine.net  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
--------------------------------------

When I hit the site with this nmap command to enumerate the available ciphers, I get none.
# nmap --script ssl-enum-ciphers -p 443 pwswiki10


I googled it, and it looks like there was once some text about this problem on the XWiki site, something about re-enabling TLS, but when I click the link I land on the administration manual's Configuration page, which has a lot of good stuff but not the bit about re-enabling TLS.

I found the "ExcludeCipherSuites" section in jetty-ssl.xml, and tried commenting it out, but still get no ciphers.
I tried adding the following section, but still get no ciphers:
----------------------------------------------------------------
<Set name="IncludeCipherSuites">
    <Array type="java.lang.String">
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
      <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
      <Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
      <Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item>
    </Array>
  </Set>
--------------------------------------

Seems like maybe I need to find the equivalent of this line from httpd.conf:
SSLProtocol -ALL +TLSv1.1 +TLSv1.2

I am searching the archives.  Meanwhile can anyone point me to what I am doing wrong /, or to an example of how that IncludeCipherSuites block should be?


Thanks
Doug


The information contained in this transmission may contain West Marine proprietary, confidential and/or privileged
information.  It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited.
If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original
message. To reply to our email administrator directly, please send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: HTTPS: No ciphers offerred?

Craig Wright
I can’t answer your direct question, however, it may be easier to go with a reverse-proxy setup where nginx or apache handle SSL and forward requests to tomcat. There are many guides to getting nginx very secure[1], and I just found this guide[2] which fixes a few reverse proxy issues[3] between nginx and tomcat.

Perhaps search around on that and see if it fits your needs.

[1]
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 <https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04>
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html <https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html>

[2]
https://devtidbits.com/2015/12/08/nginx-as-a-reverse-proxy-to-apache-tomcat/ <https://devtidbits.com/2015/12/08/nginx-as-a-reverse-proxy-to-apache-tomcat/>

[3]
https://jira.xwiki.org/browse/XWIKI-13963 <https://jira.xwiki.org/browse/XWIKI-13963>

Hope this helps,
Craig

> On Mar 20, 2017, at 3:35 PM, Douglas Landau <[hidden email]> wrote:
>
> Greets,
>
> I've enabled HTTPS on my XWiki.  But when I surf there, I get a failure with no explanation from Chrome, and this from IE:
> --------------------------------------
> Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://pwswiki10.westmarine.net  again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
> --------------------------------------
>
> When I hit the site with this nmap command to enumerate the available ciphers, I get none.
> # nmap --script ssl-enum-ciphers -p 443 pwswiki10
>
>
> I googled it, and it looks like there was once some text about this problem on the XWiki site, something about re-enabling TLS, but when I click the link I land on the administration manual's Configuration page, which has a lot of good stuff but not the bit about re-enabling TLS.
>
> I found the "ExcludeCipherSuites" section in jetty-ssl.xml, and tried commenting it out, but still get no ciphers.
> I tried adding the following section, but still get no ciphers:
> ----------------------------------------------------------------
> <Set name="IncludeCipherSuites">
>    <Array type="java.lang.String">
>      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
>      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
>      <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_CAMELLIA_128_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_CAMELLIA_256_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
>      <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
>      <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
>      <Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
>      <Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item>
>    </Array>
>  </Set>
> --------------------------------------
>
> Seems like maybe I need to find the equivalent of this line from httpd.conf:
> SSLProtocol -ALL +TLSv1.1 +TLSv1.2
>
> I am searching the archives.  Meanwhile can anyone point me to what I am doing wrong /, or to an example of how that IncludeCipherSuites block should be?
>
>
> Thanks
> Doug
>
>
> The information contained in this transmission may contain West Marine proprietary, confidential and/or privileged
> information.  It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are
> hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited.
> If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original
> message. To reply to our email administrator directly, please send an email to [hidden email].

Loading...