tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Neu <jens....@biotronik.com>
Subject Re: TLS+SSLv3 but no SSLv2
Date Fri, 22 Jan 2010 17:43:59 GMT
Christopher,

yes, thats it! Merci bien :-)
I was reading http://www.openssl.org/docs/apps/ciphers.html "for 
reference", thats where I got scared that I had to check all of them for 
128bit. Didn't know that SSLCipher= is actually understood by openssl.

Its Friday finally :)
Jens

Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu@biotronik.de



Christopher Schultz <chris@christopherschultz.net> 
01/22/2010 06:36 PM
Please respond to
"Tomcat Users List" <users@tomcat.apache.org>


To
Tomcat Users List <users@tomcat.apache.org>
cc

Subject
Re: TLS+SSLv3 but no SSLv2






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jens,

On 1/22/2010 12:30 PM, Jens Neu wrote:
> Christopher,
> 
> my "Problem" is that I have a requirement that SSLv2 shall be forbidden, 

> but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I 
was 
> hoping to tackle this with
> 
>                 SSLProtocol="TLSv1+SSLv3"
>                 SSLCipher="-ALL:+HIGH:+MEDIUM"
> 
> without manually selecting all ciphers. Since I'm on apr/openssl, I 
assume 
> that my available ciphers are what gives me "openssl ciphers"?
> So this leaves me with no other option than crawling through all the 
> ciphers? Certainly looking forward to it ;-)

How about SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2"?

The APR documentation points you to the openssl documentation for
reference. The above SSLCipher yields:

$ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g'
ADH-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
ADH-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
ADH-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
ADH-RC4-MD5
RC4-SHA
RC4-MD5

Are those acceptable? You don't have to list all the ciphers if you
don't want to.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M
Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM
=mFDc
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org





www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message