Showing all posts tagged #ssl:


在 Tomcat 關閉已被證實不安全的 SSLv3 protocol, 並改用 TLS

Posted on October 23rd, 2014

  1. 修改檔案 Tomcat7\conf\server.xml

  2. connector 增加 attribute: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" , 並拿掉 cipher 中非 TLS 的項

修改前


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  ciphers="SSL_RSA_WITH_RC4_128_SHA,
                  TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

修改後


               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
                  keystoreFile="tomcat.keystore" keystorePass="intumit"
                  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                  ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA" />

修改前 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server 10.254.1.233 on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Rejected  SSLv3  256 bits  ADH-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-RSA-AES256-SHA
    Rejected  SSLv3  256 bits  DHE-DSS-AES256-SHA
    Rejected  SSLv3  256 bits  AES256-SHA
    Rejected  SSLv3  128 bits  ADH-AES128-SHA
    Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
    Rejected  SSLv3  128 bits  DHE-DSS-AES128-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Rejected  SSLv3  168 bits  ADH-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  ADH-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  SSLv3  128 bits  ADH-RC4-MD5
    Rejected  SSLv3   40 bits  EXP-ADH-RC4-MD5
    Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Rejected  SSLv3   56 bits  DES-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-DES-CBC-SHA
    Rejected  SSLv3  128 bits  IDEA-CBC-SHA
    Rejected  SSLv3   40 bits  EXP-RC2-CBC-MD5
    Accepted  SSLv3  128 bits  RC4-SHA
    Rejected  SSLv3  128 bits  RC4-MD5
    Rejected  SSLv3   40 bits  EXP-RC4-MD5
    Rejected  SSLv3    0 bits  NULL-SHA
    Rejected  SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Accepted  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    SSLv3  128 bits  DHE-RSA-AES128-SHA
    TLSv1  128 bits  DHE-RSA-AES128-SHA

  SSL Certificate:
    Version: 2
    Serial Number: -4294967295
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: 馬賽克
    Not valid before: Feb 19 07:35:50 2014 GMT
    Not valid after: Feb 19 07:35:50 2016 GMT
    Subject: 馬賽克
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Modulus (1024 bit):
          00:ad:e3:69:8a:78:d3:f3:fa:0d:60:33:ca:fe:25:
          94:9b:1e:04:85:36:10:ac:76:63:82:62:61:f8:f5:
          eb:0d:31:69:8c:80:54:91:3e:b5:a3:25:05:0a:22:
          5e:5e:b1:c9:fa:9c:a6:08:71:3c:09:dc:22:7a:ee:
          56:96:2c:b3:57:88:02:b0:9f:7b:7d:72:e7:79:bf:
          1f:d6:a0:85:3f:b0:10:c3:dc:46:86:1c:e4:51:c8:
          7c:d4:c2:fb:42:f7:6e:b3:63:f1:6c:2a:38:7a:29:
          35:16:5a:ee:ff:a2:eb:31:0b:40:7e:96:66:8f:f2:
          ac:5b:29:8b:33:74:cd:84:4b
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Key Identifier:
        8B:E6:57:28:9C:DE:99:FE:A6:95:15:89:10:5C:85:AC:6F:3D:CB:90
      X509v3 Authority Key Identifier:
        keyid:0C:CE:36:BA:EB:3D:14:35:D7:C5:C3:CA:59:8B:27:81:8F:59:CD:6F

      X509v3 CRL Distribution Points:
        URI:馬賽克
        URI:馬賽克

      Authority Information Access:
        CA Issuers - URI:馬賽克
        CA Issuers - URI:馬賽克

      1.3.6.1.4.1.311.20.2:
        ...W.e.b.S.e.r.v.e.r
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
        TLS Web Server Authentication
  Verify Certificate:
    self signed certificate in certificate chain

修改後 sslscan 掃描

                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2-win
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009
    Compiled against OpenSSL 0.9.8m 25 Feb 2010

Testing SSL server blahblah.com on port 443

  Supported Server Cipher(s):
    Rejected  SSLv2  168 bits  DES-CBC3-MD5
    Rejected  SSLv2   56 bits  DES-CBC-MD5
    Rejected  SSLv2  128 bits  IDEA-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC2-CBC-MD5
    Rejected  SSLv2  128 bits  RC2-CBC-MD5
    Rejected  SSLv2   40 bits  EXP-RC4-MD5
    Rejected  SSLv2  128 bits  RC4-MD5
    Failed    SSLv3  256 bits  ADH-AES256-SHA
    Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
    Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
    Failed    SSLv3  256 bits  AES256-SHA
    Failed    SSLv3  128 bits  ADH-AES128-SHA
    Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
    Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
    Failed    SSLv3  128 bits  AES128-SHA
    Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
    Failed    SSLv3   56 bits  ADH-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
    Failed    SSLv3  128 bits  ADH-RC4-MD5
    Failed    SSLv3   40 bits  EXP-ADH-RC4-MD5
    Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
    Failed    SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Failed    SSLv3  168 bits  DES-CBC3-SHA
    Failed    SSLv3   56 bits  DES-CBC-SHA
    Failed    SSLv3   40 bits  EXP-DES-CBC-SHA
    Failed    SSLv3  128 bits  IDEA-CBC-SHA
    Failed    SSLv3   40 bits  EXP-RC2-CBC-MD5
    Failed    SSLv3  128 bits  RC4-SHA
    Failed    SSLv3  128 bits  RC4-MD5
    Failed    SSLv3   40 bits  EXP-RC4-MD5
    Failed    SSLv3    0 bits  NULL-SHA
    Failed    SSLv3    0 bits  NULL-MD5
    Rejected  TLSv1  256 bits  ADH-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Rejected  TLSv1  256 bits  DHE-DSS-AES256-SHA
    Rejected  TLSv1  256 bits  AES256-SHA
    Rejected  TLSv1  128 bits  ADH-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Rejected  TLSv1  128 bits  DHE-DSS-AES128-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Rejected  TLSv1  168 bits  ADH-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  ADH-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
    Rejected  TLSv1  128 bits  ADH-RC4-MD5
    Rejected  TLSv1   40 bits  EXP-ADH-RC4-MD5
    Rejected  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
    Rejected  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
    Rejected  TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
    Rejected  TLSv1  168 bits  DES-CBC3-SHA
    Rejected  TLSv1   56 bits  DES-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-DES-CBC-SHA
    Rejected  TLSv1  128 bits  IDEA-CBC-SHA
    Rejected  TLSv1   40 bits  EXP-RC2-CBC-MD5
    Rejected  TLSv1  128 bits  RC4-SHA
    Rejected  TLSv1  128 bits  RC4-MD5
    Rejected  TLSv1   40 bits  EXP-RC4-MD5
    Rejected  TLSv1    0 bits  NULL-SHA
    Rejected  TLSv1    0 bits  NULL-MD5

  Prefered Server Cipher(s):
    TLSv1  128 bits  DHE-RSA-AES128-SHA

SSL/TLS 設定參考資料

  1. http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher
  2. http://security.stackexchange.com/questions/19096/how-to-determine-if-a-browser-is-using-an-ssl-or-tls-connection
  3. http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
  4. https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/
  5. https://wiki.mozilla.org/Security/Server_Side_TLS

Tomcat SSL 憑證產生教學

Posted on September 4th, 2014

Step1. 建立 private key金鑰

C:\j2sdk1.4.2_05\bin>keytool -genkey -alias mykey( 別名 :可自設) -validity 720( 效期 ) -keyalg RSA -keysize 1024 -keystore tomcat.keystore(產出的 keystore檔名) -storepass mypassword( 密碼自設 ) –keypass mypassword(密碼自設)

Step 2. 輸入憑證資訊

一般名字與姓名會輸入該網站的 daman,若測試輸入localhost即可,其他資訊看客戶是否有要求,否則隨意填即可。

Step 3. 產出憑證要求的 CSR檔

C:\j2sdk1.4.2_05\bin>keytool -certreq -alias mykey(Step1 設定的別名 ) -file cert.csr(產出的csr 檔名 ) -keystore tomcat.keystore (Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )


匯出的憑證內容

Step 4. 匯入 CRE憑證檔

利用 CSR檔產回CRE 憑證檔進行匯入。
此時,請確認客戶產出 CRE檔的程式,是否有根憑證或中繼憑證,若有麻煩先匯入根憑證及中繼憑證,否則會無法匯入憑證。
方法 1: 根憑證及中繼憑證匯入Java Security ,再匯入產出的 CRE憑證檔

Step 4-1-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias tomcat( 別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore  %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit(jre預設密碼是 changeit)

Step 4-1-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )

方法 2:直接匯入keystore( 依信任關係,由最上層憑證,依序往下安裝 )

Step 4-2-1.匯入根憑證及中繼憑證

C:\j2sdk1.4.2_05\bin> keytool -import -alias mykey(別名 :可自設) -file server.cer(根憑證、中繼憑證 ) -keystore tomcat .keystore(Step1產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

Step 4-2-2.匯入產出的憑證

C:\j2sdk1.4.2_05\bin>keytool -import -trustcacerts -alias mykey(Step1 設定的別名 ) -file cert.cer(產出的憑證檔 ) -keystore tomcat.keystore(Step1產出的keystore 檔) -storepass mypassword(Step1 keystore密碼 )


匯入完成的訊息

Step 5.修改Tomcat server.xml 的設定

PS.

1.如果客戶是自己認證沒經過第三方大廠,匯入客戶的根憑證及中繼憑證是一定要的,不然匯不進去。
2.記得要改成 protocol="org.apache.coyote.http11.Http11Protocol" ,APR 的方式測試都不成功,等有人成功可以分享一下。
3.查詢keystore 資訊語法

keytool -list -keystore tomcat.keystore(Step1 產出的 keystore檔) -storepass mypassword(Step1 keystore密碼 )

感謝 Nick 教學


Liu@llen

Notes from my experience.