tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Neu <jens....@biotronik.com>
Subject Re: TLS+SSLv3 but no SSLv2
Date Fri, 22 Jan 2010 17:30:19 GMT
Christopher,

my "Problem" is that I have a requirement that SSLv2 shall be forbidden, 
but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was 
hoping to tackle this with

                SSLProtocol="TLSv1+SSLv3"
                SSLCipher="-ALL:+HIGH:+MEDIUM"

without manually selecting all ciphers. Since I'm on apr/openssl, I assume 
that my available ciphers are what gives me "openssl ciphers"?
So this leaves me with no other option than crawling through all the 
ciphers? Certainly looking forward to it ;-)

regards

Jens Neu
Health Services Network Administration

Phone: +49 (0) 30 68905-2412
Mail: jens.neu@biotronik.de



Christopher Schultz <chris@christopherschultz.net> 
01/22/2010 06:05 PM
Please respond to
"Tomcat Users List" <users@tomcat.apache.org>


To
Tomcat Users List <users@tomcat.apache.org>
cc

Subject
Re: TLS+SSLv3 but no SSLv2






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jens,

On 1/22/2010 11:10 AM, Jens Neu wrote:
> on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the 
> SSLProtocol:
> 
> "Protocol which may be used for communicating with clients. The default 
is 
> "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and 

> "SSLv2+SSLv3"."
> 
> Does this really mean that I can not allow a "TLSv1+SSLv3" setting while 

> forbidding SSLv2? It seems so to me, since setting SSLProtocol to this 
> obvioulsy defaults to "ALL" :-(

I agree with Chuck: TLSv1 ~= SSLv3.

Although the "protocol" attribute has a limited set of values you can
choose, you can always set the ciphers you will allow using the
"ciphers" attribute. This will allow you to pick and choose the ciphers
regardless of the overall "protocol" that you choose.

The ciphers available depend upon your environment, but these are the
ones I can see in mine:

java version "1.6.0_12"
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)

Default Cipher
*       SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
*       SSL_DHE_DSS_WITH_DES_CBC_SHA
*       SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
*       SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_DH_anon_WITH_RC4_128_MD5
*       SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
*       SSL_RSA_EXPORT_WITH_RC4_40_MD5
*       SSL_RSA_WITH_3DES_EDE_CBC_SHA
*       SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
*       SSL_RSA_WITH_RC4_128_MD5
*       SSL_RSA_WITH_RC4_128_SHA
*       TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_EXPORT_WITH_RC4_40_MD5
        TLS_KRB5_EXPORT_WITH_RC4_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
        TLS_KRB5_WITH_RC4_128_MD5
        TLS_KRB5_WITH_RC4_128_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct
fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE
=NL0x
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org





www.biotronik.com

BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501

Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. 
Lothar Krings

BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management 
systems and Vascular Intervention devices. Quality, innovation, and 
reliability define BIOTRONIK and our growing success. We are innovators of 
technologies like the first wireless remote monitoring system - Home 
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as 
state-of-the-art stents, balloons and guide wires for coronary and 
peripheral indications. We highly invest in the development of drug 
eluting devices and are leading the industry with our bioabsorbable metal 
stent program.

This e-mail and the information it contains including attachments are 
confidential and meant only for use by the intended recipient(s); 
disclosure or copying is strictly prohibited. If you are not addressed, 
but in the possession of this e-mail, please notify the sender immediately 
and delete the document.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message