tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Restricting ciphers
Date Wed, 09 Jan 2013 15:01:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Baron,

On 1/8/13 9:55 PM, Baron Fujimoto wrote:
> However, when I test this by attempting connections with a
> script[*]

You could use 'sslscan' which is available directly from many Linux
package managers. You can also use online tools like Qualys's
scanner[1], which tells you which vulnerabilities you might have such
as BEAST, CRIME, client-renegotiation, etc.

Worth mentioning: I'm not sure how to do such a thing with the JSSE
SSL implementation, but if you use APR/native with OpenSSL, you want
to enable the "honor server cipher order" flag. Unfortunately, this
won't work quite properly with Tomcat right now due to a series of
prerequisites that need to fall into place for it to work correctly
([2] and [3]).

- -chris

[1] https://www.ssllabs.com/ssltest/index.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
[3] https://issues.apache.org/bugzilla/show_bug.cgi?id=53969
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDthjcACgkQ9CaO5/Lv0PDrpwCgr19iDh6kKGKN7jjM6WmkfZFe
xH0AniNsKyyjYQnivoCPJmw+koye3AXS
=jvUJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message