tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Wall <d.w...@computer.org>
Subject "Weak" SSL detection w/ TC5.5
Date Sat, 09 Sep 2006 01:07:32 GMT
What are most people doing to detect so-called "weak" SSL ciphers in 
Tomcat? 

I've noted that I can configure the Tomcat Connector's 'ciphers' list to 
specify only those that are not "weak," but I'm not sure how best to 
generate that list.  For example, how would I list all ciphers except 
DES-CBC-SHA, EXP-RC4-MD5 and EXP-DES-CBC-SHA from what's offered by 
default?  Is there a way to get an exhaustive list of what ciphers 
Tomcat's SSL will use on Java 5?

Or are people simply checking the javax.servlet.request.key_size 
attribute to determine if it's at least 128 bits and then either 
allowing the connection or redirecting to an error page or the like?  It 
seems like checking the javax.servlet.request.cipher_suite attribute 
won't be enough because it lists all ciphers that it can use, not the 
one that's actually being used.

Thanks,
David

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message