tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Braun <brianbr...@gmail.com>
Subject Re: Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x
Date Sun, 16 Sep 2012 00:28:19 GMT
Well, I'm using JVM1.6 Update 35 (the latest). I want the best encription I
can get, while at the same time I want it to be near to 100% compatible
with all my possible internet visitor's browsers, and also I want to pass
the PCI test that www.secritymetrics.com performs. I have humble
requirements :-)

On Sat, Sep 15, 2012 at 2:05 PM, Mark Thomas <markt@apache.org> wrote:

> On 15/09/2012 19:59, Brian Braun wrote:
> > Hi Mark,
> >
> > I was really interested in your advice. I'm glad you answered, thanks!
> > I'm trying not the disable TLS1.0 because I did a site that is being uses
> > by unknown people over the internet, and I don't one how many of them are
> > using a browser that only works with TLS1.0.
> > Where can I get the list of all available ciphers for Sun JVM 6 update
> 35?
>
> http://people.apache.org/~markt/random/CryptoInfo.java
>
> > I would like to get the complete list, and then remove the CBC ones.
>
> You'll need to remove more than just the CBC ones. Anything with EXPORT
> or NULL will need to go too. Maybe others. You'll have to check each one.
>
> > Right
> > now I'm using just 3, from which one uses CBC:
> >
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
> > Besides removing the last one, which ones should I add?
>
> It depends on what the JVM supports and what minimum strength encryption
> you want.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message