tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Peterson <g...@organicdesign.org>
Subject Feature suggestion: excludeCiphers
Date Thu, 13 Nov 2014 02:58:51 GMT
Tomcat has been one of my favorite pieces of software for about a
decade.  Thanks to all your generous contributions it just keeps
getting better!  I appreciate the focus on security in Tomcat 8.

Suggestion:
=========
Instead of specifying allowed ciphers in the Connector node of
server.xml, I'd like to specify dis-allowed/excluced ciphers so that
as new, better cipher suites become available we won't have to do
anything.  Maybe an "excludeCiphers" attribute?

Background:
=========
We're getting an 'A' on the Qualys TLS test with stand-alone Tomcat,
which is pretty cool:
https://www.ssllabs.com/ssltest/index.html

Mostly, that's because of the following settings (in case this helps anyone):

<Connector port="8443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150" SSLEnabled="true"
  scheme="https" secure="true"
  clientAuth="false"
  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
  compression="on" disableUploadTimeout="true"
  connectionTimeout="180000"
  URIEncoding="UTF-8"
  keystorePass="notTheRealPassword"
  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" />

It seems like just a few years ago there were about 50 cipher suites
to choose from.  Now there are 12 that work with TLS.  Eight of those
have Forward Security (the 8 listed above).  Presumably those eight
will also become outdated over time and new ones will be added to
replace them.  The problem with specifying ciphers as above is that
someone will have to know when and how to manually update the cipher
list.

With each upgrade of Java, we need to remember to do something like
the following:

 - Delete the ciphers attribute
 - Restart tomcat
 - Test here: https://www.ssllabs.com/ssltest/index.html
 - Copy the list of cipher suites
 - Delete any that don't support Forward Security
 - Make a new ciphers attribute.
 - Verify that the browsers and devices we support will still work.

To be honest, I'm not sure if that needs to be done with each Java
patch release, or only when Java 9 comes out.  If instead of
specifying valid ciphers, I specified invalid ones, then the new ones
would just flow through the system and become available without me
doing anything!

Thank you in advance for considering this suggestion.

@GlenKPeterson

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message