tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Feature suggestion: excludeCiphers
Date Thu, 13 Nov 2014 14:16:36 GMT
On 13/11/2014 02:58, Glen Peterson wrote:
> Tomcat has been one of my favorite pieces of software for about a
> decade.  Thanks to all your generous contributions it just keeps
> getting better!  I appreciate the focus on security in Tomcat 8.
> 
> Suggestion:
> =========
> Instead of specifying allowed ciphers in the Connector node of
> server.xml, I'd like to specify dis-allowed/excluced ciphers so that
> as new, better cipher suites become available we won't have to do
> anything.  Maybe an "excludeCiphers" attribute?

You should be able to do this already in Tomcat 8 if you use the OpenSSl
syntax.

Mark


> 
> Background:
> =========
> We're getting an 'A' on the Qualys TLS test with stand-alone Tomcat,
> which is pretty cool:
> https://www.ssllabs.com/ssltest/index.html
> 
> Mostly, that's because of the following settings (in case this helps anyone):
> 
> <Connector port="8443"
>   protocol="org.apache.coyote.http11.Http11NioProtocol"
>   maxThreads="150" SSLEnabled="true"
>   scheme="https" secure="true"
>   clientAuth="false"
>   sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>   compression="on" disableUploadTimeout="true"
>   connectionTimeout="180000"
>   URIEncoding="UTF-8"
>   keystorePass="notTheRealPassword"
>   ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
>     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
>     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
>     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" />
> 
> It seems like just a few years ago there were about 50 cipher suites
> to choose from.  Now there are 12 that work with TLS.  Eight of those
> have Forward Security (the 8 listed above).  Presumably those eight
> will also become outdated over time and new ones will be added to
> replace them.  The problem with specifying ciphers as above is that
> someone will have to know when and how to manually update the cipher
> list.
> 
> With each upgrade of Java, we need to remember to do something like
> the following:
> 
>  - Delete the ciphers attribute
>  - Restart tomcat
>  - Test here: https://www.ssllabs.com/ssltest/index.html
>  - Copy the list of cipher suites
>  - Delete any that don't support Forward Security
>  - Make a new ciphers attribute.
>  - Verify that the browsers and devices we support will still work.
> 
> To be honest, I'm not sure if that needs to be done with each Java
> patch release, or only when Java 9 comes out.  If instead of
> specifying valid ciphers, I specified invalid ones, then the new ones
> would just flow through the system and become available without me
> doing anything!
> 
> Thank you in advance for considering this suggestion.
> 
> @GlenKPeterson
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message