tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS+SSLv3 but no SSLv2
Date Fri, 22 Jan 2010 17:35:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jens,

On 1/22/2010 12:30 PM, Jens Neu wrote:
> Christopher,
> 
> my "Problem" is that I have a requirement that SSLv2 shall be forbidden, 
> but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was 
> hoping to tackle this with
> 
>                 SSLProtocol="TLSv1+SSLv3"
>                 SSLCipher="-ALL:+HIGH:+MEDIUM"
> 
> without manually selecting all ciphers. Since I'm on apr/openssl, I assume 
> that my available ciphers are what gives me "openssl ciphers"?
> So this leaves me with no other option than crawling through all the 
> ciphers? Certainly looking forward to it ;-)

How about SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2"?

The APR documentation points you to the openssl documentation for
reference. The above SSLCipher yields:

$ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g'
ADH-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
ADH-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
ADH-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
ADH-RC4-MD5
RC4-SHA
RC4-MD5

Are those acceptable? You don't have to list all the ciphers if you
don't want to.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M
Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM
=mFDc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message