tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Feature suggestion: excludeCiphers
Date Thu, 13 Nov 2014 19:23:23 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Glen,

On 11/13/14 11:43 AM, Glen Peterson wrote:
> Thank you Mark - that works great!  That feature suggestion is not 
> needed after all.
> 
> I found two places where the Tomcat 8 documentation could be more 
> helpful.  I would be happy to do the following updates if I'm
> allowed:
> 
> 1. I didn't see "ciphers" on this page at all (maybe it should be 
> renamed TLS-howto in a post-POODLE world?): 
> http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
> 
> 2. The "ciphers" section here doesn't mention that it accepts the 
> OpenSSL syntax: 
> http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
> 
> This page has a helpful description of the syntax (what I used to 
> learn it today): https://www.openssl.org/docs/apps/ciphers.html
> 
> If you like the ciphers element below, you are welcome to paste it
> in the docs.

Patches are always welcome, including patches to the documentation.
Let me know if you'd like to provide one, and I can give you
instructions (they are pretty simple).

> For anyone interested, this is what I ended up with:
> 
> ciphers="ALL:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!3DES:!TLS_RSA_WITH_AES_128_CBC_SHA256:!TLS_RSA_WITH_AES_128_CBC_SHA:!TLS_RSA_WITH_AES_128_GCM_SHA256:@STRENGTH"
>
>  Maybe someone more familiar with OpenSSL options could do better,
> but this is working and should be forward-compatible because it
> eliminates weaker ciphers without specifying which stronger ones to
> use.  Note that without specifying @STRENGTH (which means to sort
> in decreasing order by strength), nmap couldn't find 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 but Qualys did, so sorting
> seems to have some effect for certain clients.  Even sorted like
> this, Qualys still reports that, "the server has no preference."

I don't believe JSSE has the ability for the server to specify a
preferred cipher order like tcnative/APR/OpenSSL do with
"SSLHonorCipherOrder".

http://serverfault.com/questions/316313/control-ssl-cipher-priority-order-for-tomcat-to-avoid-beast-attack

> Also note, that the new configuration doesn't support IE8 on
> Windows XP, but we currently support IE8/Vista and forward.  Qualys
> says IE7 on Vista still works, so presumably IE8 would work there
> too.

IE8 on Windows XP should work as long as the proper TLS protocols have
been enabled. I believe Qualys is talking about a "default
configuration" of MSIE 8 on Windows XP.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUZQUrAAoJEBzwKT+lPKRYgToP/1rYKGihmAJLn21CzkSxURWZ
rT0FBibKeycm6i4AY6KIlOm3DyXnfd0N47yxKv0F/0OdX3Ms83trvMKjKT8Gh2jL
Z83JXU19aKFinHgRhCJDWHGKBKx+cFTxo9KEpljGd0YQInB4/AkBItVCGvdQKwX+
tr1YD6RC9kXbzD0tjn9+SMuqzmJSSs7XR33gBl4eCB5lGDE7vz3++JU7xbDzYNCA
ctqxuQstJq2fjeuvc3Bq6WhffP8/qQZHkTBGV64b55vnkXMPZL3Hb0kIYC1oFo/U
ni664Mc9WKTzf4NHRdmAHkA9cbrSV0kUQdxEEzFIWJ/gj3FyHdIydgz0sMa2+HEd
Rg2nQtmTsiLnHiIucqOrktZBgmBUtONCti5cSsRjfhwhh/7IjY9QLhFWIvbvLcz8
rFmwjW9c8qiT8D13E9PujSbuhxAL+gfgWdRlKePBqsZH6ftOWK4V1fA2cIAiW5rX
rL+Dozac5AtxXYQ7RvD651FG9YS/9Nv5t9NCm4muIBufg1dlbOQc8/jcEHA7tsUU
GaCb72qmVU9/XSP6IiWtLjC2PbCh4ouAfHgL7UyPPWlBv+UnZbvJzmNfX38NPrGG
LAN99XUFiqsHAP7P8vr58UNLoi/at2t0WHLIm3eO/txpKgZQOvK/dQ9Bxb0NDT2T
56D8Affe/VSQf0RnE5/4
=bLG/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message