I have configured 4 ciphers in server.xml file as following but ONLY 2 RSA are working and ECDHE_ECDSA does not work. I have scan tomcat with multiple tools only RSA are showing in all.
How can I make TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 work ?
<Connector port="${tomcat.secure.port}" protocol="org.apache.coyote.http11.Http11NioProtocol"
address="${tomcat.address}" maxThreads="150" SSLEnabled="true"
scheme="https" secure="true" maxSwallowSize="-1" maxPostSize="-1">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" readTimeout="50000" streamReadTimeout ="-1" streamWriteTimeout="-1"
overheadContinuationThreshold="0" overheadDataThreshold="0" overheadWindowUpdateThreshold="0"/>
<SSLHostConfig protocols="TLSv1.2+TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateKeystoreFile="/tmp/tomcat_keystore.jks"
certificateKeystorePassword="${keystore.password}"
certificateKeyPassword="${key.password}"
certificateKeystoreType="PKCS12"
certificateKeystoreProvider="SUN"/>
</SSLHostConfig>
</Connector>
APACHE TOMCAT/9.0.53
java --version
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.14.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.14.04, mixed mode, sharing)
Scan Result:
nmap --script ssl-enum-ciphers -p 443 10.40.43.26
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 18:08 PST
Nmap scan report for vd (10.40.43.26)
Host is up (0.021s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
sslscan 10.40.43.26:443
Version: 2.0.11-static
OpenSSL 1.1.1m 14 Dec 2021
Connected to 10.40.43.26
Testing SSL server 10.40.43.26 on port 443 using SNI name 10.40.43.26
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Update:
You must set up multiple types of certificates for tomcat and all four ciphers worked.
<SSLHostConfig protocols="TLSv1.2+TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
<Certificate certificateKeystoreFile="/tmp/RSA/tomcat_keystore.jks"
certificateKeystorePassword="${keystore.password}"
certificateKeyPassword="${key.password}"
certificateKeystoreType="PKCS12"
certificateKeystoreProvider="SUN" type="RSA"/>
<Certificate certificateKeystoreFile="/tmp/ECC/tomcat_keystore.jks"
certificateKeystorePassword="${keystore.password}"
certificateKeyPassword="${key.password}"
certificateKeystoreType="PKCS12"
certificateKeystoreProvider="SUN" type="EC"/>
</SSLHostConfig>
