tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexandre Adao <alexa...@gmail.com>
Subject Re: How disable the Weak Cipher like TLS_DHE on APACHE 9.0.6
Date Wed, 25 Apr 2018 19:10:49 GMT
Thank you for your help. I really appreciated. This is my current settings
on Cipher Tomcat 9.0.6 and It has received grade "A" from SS Labs.


    <Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
              SSLEnabled="true" scheme="https" secure="true"
              maxHttpHeaderSize="32767"
              maxThreads="150"
              URIEncoding="UTF-8"
             compression="on"
             defaultSSLHostConfigName="my.server.edu">
 <SSLHostConfig hostName="my.server.edu"
honorCipherOrder="true"
  disableSessionTickets="true"
  ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,

TLS_EMPTY_RENEGOTIATION_INFO_SCSVF">
<Certificate certificateKeyFile="conf/idp.key"
             certificateFile="conf/my.server.crt"
certificateChainFile="conf/my.sever.edu.ca-bundle"
type="RSA" />
  </SSLHostConfig>
    </Connector>


On Wed, Apr 25, 2018 at 1:05 PM, Pierre Chiu <pc8888@gmail.com> wrote:

> That was an A+ as of 2017. SSL Labs changes their check multiple times
> since then and we never revisit the setup.
>
> Admin blocked port 80 doesn't help either. 80 is supposed to do a
> redirection :)
>
>
>
> > On Apr 25, 2018, at 12:41 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Pierre,
> >
> > On 4/25/18 12:16 PM, Pierre Chiu wrote:
> >
> > The
> > A+ is coming from your use of HSTS. If you had not enabled HSTS,
> > you wouldn't get the A+.
> >
> > Note that SSLLabs considers some of your cipher suites as "weak" (e.g.
> > TLS_RSA_WITH_AES_256_GCM_SHA384) and yet you still get an A+ rating.
> >
> > Those ratings are quite subjective as you can see.
> >
> > Thanks,
> > - -chris
> >
> > -----BEGIN PGP SIGNATURE-----
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlrgr7cACgkQHPApP6U8
> > pFiS/BAAxUsT9iLMkZaKdcsVog2Kp/p5ImVuU2qbgjJLGujf54kDHF2YBanMhALy
> > SnBi1TbAu+WtXWSJdDtoqdynXUpcDNBxOeqklYGulfWabZLBR+vI3tYNsXDTSAZN
> > XGclvLIL6pzHApsjpbs+yfarUBsSfu2cGuX2hgZlOuAyp1S7ZvlP6g1qEhTYEZn3
> > I7WqLYZOZJ7B5Ne1v2fmX4VnsXOxJoXIQsHmWSEXJHdyBFp07DYwjQPACJFxiT4V
> > Lu8Utk64rbcEW80wC6Cz8d5llWo7eJFrY9+RpjwG6EkkarSCsY+K3j9W0IImjFXb
> > UFzuxXzTNyf0iSFYCGYtrWG00kNbLvr+OM2j7YZwjoN9OSZbuXbcBzuM7x5/iKQm
> > sguQ/7sb/p0AovWCQ2/Z6I7BcZ0pZ0iGhX2n6QZamDfCAo7otFYrsrh1yakve5Uu
> > mxSRDmDjNqsD78GgAJIyQiB72FDp1xhq++QpclHVZLu6I97DxlvjjNg04LhkLoeO
> > U1IALpqCPkaNLim1mTPczUZdjV9ApG4tzv5SwaptiHSvdxxKXjAzYvqlIAO46rL3
> > fTBAfE4GNkVhFvRiBP5Ofe+fg+LPnBhtB0xZktm3guhEQEjxvHNcRAxwHV0O0R93
> > N3GHAa6T0HqrEoBB7VjQO7ZiXvLElnKvOMKbnHz2T5MGtWNycyI=
> > =PFum
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message