tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "Security/Ciphers" by markt
Date Thu, 31 Mar 2016 14:16:26 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=14&rev2=15

Comment:
Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL into separate tables

  
  There is no right choice since there are always trade-offs to make between better security
better interoperability, better performance etc.. Where you choose to draw that line is a
choice you need to make. The following information is provided to help you make that choice.
The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL
Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are
only ever going to get worse over time. The results shown on this page were correct at the
time they were generated.
  
- As of May 2015, 1024-bit DHE is [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]]
[[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by nation-state adversaries.
2048-bit DHE is recommended. 2048-bit DHE may be configured with JSSE connectors (BIO, NIO,
NIO2) using JVM parameter, and for APR connector Apache Tomcat Native Library 1.2.2 (or later)
should be used.
+ == BIO/NIO/NIO2 with JSSE Results (Default) ==
  
- 
- == JSSE (BIO/NIO/NIO2) Results (Default) ==
- 
- ||                           || Java 5 || Java 6 || Java 7 || Java 8 ||
+ ||            || Java 5 || Java 6 || Java 7 || Java 8 ||
- || Tomcat 6 (JSSE)           ||   C    ||   C    ||   C    ||   B    ||
+ || Tomcat 6   ||   C    ||   C    ||   C    ||   B    ||
- || Tomcat 7 (JSSE)           ||  N/A   ||   C    ||   C    ||   B    ||
+ || Tomcat 7   ||  N/A   ||   C    ||   C    ||   B    ||
- || Tomcat 8 (JSSE)           ||  N/A   ||  N/A   ||   A    ||   A    ||
+ || Tomcat 8   ||  N/A   ||  N/A   ||   A    ||   A    ||
- || Tomcat 8 (APR/OpenSSL)    ||  N/A   ||  N/A   ||   A    ||   A    ||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A    ||   A    ||
- || Tomcat 8.5 (JSSE)         ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (JSSE/OpenSSL) ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 8.5 (APR/OpenSSL)  ||  N/A   ||  N/A   ||  TBD   ||  TBD   ||
- || Tomcat 9 (JSSE)           ||  N/A   ||  N/A   ||  N/A   ||   A    ||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A    ||
- || Tomcat 9 (JSSE/OpenSSL)   ||  N/A   ||  N/A   ||  N/A   ||   A    ||
- || Tomcat 9 (APR/OpenSSL)    ||  N/A   ||  N/A   ||  N/A   ||   A    ||
  
  Note: These results were obtained using the JCE Unlimited Strength Jurisdiction Policy Files
  
+ == NIO/NIO2 with JSSE+OpenSSL Results (Default) ==
+ 
+ ||            || Java 5 || Java 6 || Java 7 || Java 8 ||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A    ||   A    ||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A    ||
+ 
+ 
- Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native release to achieve
an A since, without it, the full certificate chain is not presented to the client.
+ Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to achieve an A since,
without it, the full certificate chain is not presented to the client.
+ 
+ The equivalent OpenSSL cipher configurations used to obtain the above results are:
+ 
+ || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE ||
+ || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA ||
+ 
+ Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure which is why
those ciphers are excluded only for Java 7.
+ 
+ == APR with OpenSSL Results (Default) ==
+ 
+ ||            || Java 5 || Java 6 || Java 7 || Java 8 ||
+ || Tomcat 6   ||  TBD   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 7   ||  N/A   ||  TBD   ||  TBD   ||  TBD   ||
+ || Tomcat 8   ||  N/A   ||  N/A   ||   A    ||   A    ||
+ || Tomcat 8.5 ||  N/A   ||  N/A   ||   A    ||   A    ||
+ || Tomcat 9   ||  N/A   ||  N/A   ||  N/A   ||   A    ||
+ 
+ The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA'''.
Up-to-date selection of secure cipher suites in OpenSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla
wiki]].
+ 
  
  == JSSE (BIO/NIO/NIO2) Results (Improved) ==
  
@@ -50, +68 @@

    * Java 8
     * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
- ''(It might be nice to provide the OpenSSL-style cipher suites arcana for the versions of
Tomcat that support it)''
- 
  == Environment ==
  
  The results above were generated with:
@@ -62, +78 @@

   * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled SSLv2 and
SSLv3.
   * Apache Tomcat 7.0.60-dev, r1664373.
   * Apache Tomcat 8.0.34-dev, r1737224.
-  * Apache Tomcat 8.5.1-dev, r1737213.
+  * Apache Tomcat 8.5.1-dev, r1737241.
   * Apache Tomcat 9.0.0.M5-dev, r1737193.
+  * tc-native 1.2.5
  
- == APR/native ==
- 
- If APR/native connector is used (or if HTTPS connection is terminated at a load balancer
or reverse proxy utilizing the OpenSSL library), cipher suites should be specified in [[https://www.openssl.org/docs/apps/ciphers.html|OpenSSL
format]]. Up-to-date selection of secure cipher suites is available at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla
wiki]].
- 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message