tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Restricting ciphers
Date Thu, 10 Jan 2013 07:44:49 GMT
2013/1/10 Baron Fujimoto <baron@hawaii.edu>:
> On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote:
>>2013/1/9 Baron Fujimoto <baron@hawaii.edu>:
>>> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35.
>>> My understanding is that the attack applies only to CBC ciphers, and that
>>> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of
>>> ciphers that Tomcat uses with the following config for a connector:
>>>
>>>   <Connector protocol="HTTP/1.1" SSLEnabled="true"
>>>              address="0.0.0.0"
>>>              port="8443"
>>>              maxThreads="150" scheme="https" secure="true"
>>>              keystoreFile="/path/to/keystore"
>>>              keystoreType="pkcs12"
>>>              ciphers="TLS_RSA_WITH_RC4_128_SHA,
>>>                       TLS_RSA_WITH_RC4_128_MD5,
>>>                       SSL_CK_RC4_128_WITH_MD5"
>>>              clientAuth="false" sslProtocol="TLS" />
>>>(...)
>>>
>>
>>As can be seen from your usage of "keystoreType" attribute, you are
>>using Java implementation of the Connector,  not openssl/APR one.
>>
>>You should look into Java documentation for their cipher names.
>>
>>See this thread from October 2009:
>>http://markmail.org/message/zn4namfhypyxum23
>
> Ahh, that was it! It did not occur to me that OpenSSL and Java might
> name the ciphers differently.  If I restrict the ciphers to those
> from the (differently named) set used by Java, it works as expected.
> Mahalo!
>
>   ciphers="SSL_RSA_WITH_RC4_128_MD5,
>            SSL_RSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>            TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDH_RSA_WITH_RC4_128_SHA"
>

Good.

I used your example to create a FAQ page,
http://wiki.apache.org/tomcat/HowTo/SSLCiphers

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message