tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sat, 15 Sep 2012 19:05:42 GMT
On 15/09/2012 19:59, Brian Braun wrote:
> Hi Mark,
> 
> I was really interested in your advice. I'm glad you answered, thanks!
> I'm trying not the disable TLS1.0 because I did a site that is being uses
> by unknown people over the internet, and I don't one how many of them are
> using a browser that only works with TLS1.0.
> Where can I get the list of all available ciphers for Sun JVM 6 update 35?

http://people.apache.org/~markt/random/CryptoInfo.java

> I would like to get the complete list, and then remove the CBC ones.

You'll need to remove more than just the CBC ones. Anything with EXPORT
or NULL will need to go too. Maybe others. You'll have to check each one.

> Right
> now I'm using just 3, from which one uses CBC:
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
> Besides removing the last one, which ones should I add?

It depends on what the JVM supports and what minimum strength encryption
you want.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message