0

We are running Apache 2.4 as reverse proxy to a Tomcat 9.0.88 web application.

We started having an issues after a fresh install where Apache was rejecting incoming ssl handshakes from other Web apps. This was previously working.

By adding in some test code on the client side, iteratively trying ciphers, we saw that the cipher suites that Apache was willing to accept shrunk from: Old install:

DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA

New Install:

ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA

I looked at the httd.conf and saw it was importing the httpd-ssl.conf which had the following ciphers:

SSLCipherSuite         AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:
ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384

This is substantially more that the server is willing to accept. Also this config had not changed between the installs.

I tried adding everything the client will support to:

SSLCipherSuite         TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-D
SS-AES256-SHA:DHE-DSS-AES256-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DH
E-RSA-AES256-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-GCM-SHA384:AES128-SHA:AES128-SHA256:AES128-CCM:AES128-CCM8:AES128-GCM-SHA256:AES256-SHA:AES256-SHA256:AES256-CCM:AE
S256-CCM8:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-
AES256-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDH
E-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384

and saw it would only accept the following:

ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384
AES128-CCM
AES128-CCM8
AES256-CCM
AES256-CCM8

This shows me it is using the httpd-ssl.config but only a subset of it.

Is there some additional config that I am missing that would be filtering down the ciphers that can be used? It looks like only ciphers with RSA_WITH_AES are being used.

Could any of the the Tomcat config be causing this issue? I doubt this as the Apache error.log is where we first noticed this issue.

The only things that I can see have changed on the fresh install is the Tomcat version has gone from 9.0.86 to 9.0.88 and Apache from Apache/2.4.58 (FreeBSD) to Apache/2.4.59 (FreeBSD).

EDIT:

OpenSSL 1.1.1w-freebsd  11 Sep 2023
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLProxyProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on

Java version old:

$ java --version
openjdk 17.0.6 2023-01-17
OpenJDK Runtime Environment (build 17.0.6+10-1)
OpenJDK 64-Bit Server VM (build 17.0.6+10-1, mixed mode, sharing)

java version new:

$ java --version
openjdk 17.0.10 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-1, mixed mode, sharing)

Update: based on Daniel Ferradal's comment below I vefiried that my DHE ciphers are supported by openssl on this machine.

openssl ciphers -v "DHE-RSA-AES256-GCM-SHA384"
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD

openssl ciphers -v "DHE-RSA-AES128-GCM-SHA256"
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
11
  • 1
    What OpenSSL Version is used? What's your Apache SSLProtocol configuration? What's your Apache SSLHonorCipherOrder configuration?
    – M. Behrens
    Commented May 16 at 23:48
  • 1
    Do you have DH parameters in your (first) SSLCertificateFile and if so what size are they? If they are small and you now have an OpenSSL with a higher security level the DH params may no longer pass muster, making DHE suites unnegotiable. Note in your 'everything' the first 4 suites (TLS_AES_*) are for TLS1.3 and SSLCipherSuite can't configure 1.3 suites in the same directive as lower protocols. Also it's useless to configure DHE-DSS or ECDHE-ECDSA suites if you don't have a DSA or ECDSA cert&key which you obviously don't. But AES(CBC)-SHA2 and AES-GCM-SHA2 should work (given 1.2). Commented May 17 at 1:54
  • 1
    Also if your prior config actually had #SSLCipherSuite as shown it was commented out and not actually doing anything at all. Commented May 17 at 1:58
  • 1
    You say We started having an issues after a fresh install where Apache was rejecting incoming ssl handshakes from other Web apps, but it is usually the other way around, client rejects server for several reasons. You should specify which java version you use to connect to this server. Old java versions have trouble handshaking with DH ciphers when private key is >1024 bits. Commented May 25 at 10:51
  • 1
    @RichardFeynman ciphers allowed in Apache depend only on protocols available and openssl version and its support. You can check directly in the system where Apache resides with the command openssl ciphers -v "TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:etc...." Commented May 30 at 19:49

0

You must log in to answer this question.

Browse other questions tagged .