tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "Security/Ciphers" by OgnjenBlagojevic
Date Thu, 01 Oct 2015 12:46:54 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Security/Ciphers" page has been changed by OgnjenBlagojevic:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=5&rev2=6

Comment:
Added information about 2048-bit DHE

  = TLS Cipher suite choice =
  
  There is no right choice since there are always trade-offs to make between better security
better interoperability, better performance etc.. Where you choose to draw that line is a
choice you need to make. The following information is provided to help you make that choice.
The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL
Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are
only ever going to get worse over time. The results shown on this page were correct at the
time they were generated.
+ 
+ As of May 2015, 1024-bit DHE is [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]]
[[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by nation-state adversaries.
2048-bit DHE is recommended. 2048-bit DHE may be configured with JSSE using JVM parameter,
while latest released version of Apache Tomcat Native Library (1.1.33) does not support 2048-bit
DHE. You may track native support [[https://bz.apache.org/bugzilla/show_bug.cgi?id=56108|here]]
+ 
  
  == JSSE (BIO/NIO/NIO2) Results (Default) ==
  
@@ -22, +25 @@

  
  == JSSE Settings for Improved Results ==
  
- To use these settings, set the ciphers attribute on your secure connector to the list of
ciphers shown below. The list should be comma separated.
+ To use these settings:
  
+  1. Pass JVM parameter '''-Djdk.tls.ephemeralDHKeySize=2048''' to JVM running Tomcat.
+ 
+  1. Set the ciphers attribute on your secure connector to the list of ciphers shown below.
The list should be comma separated.
+ 
-  * Java 5
+   * Java 5
-   * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 6
+   * Java 6
-   * TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 7
+   * Java 7
-   * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+     * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 8
+   * Java 8
-   * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  ''(It might be nice to provide the OpenSSL-style cipher suites arcana for the versions of
Tomcat that support it)''
  

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message