Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 92C75189FA for ; Thu, 31 Mar 2016 14:16:32 +0000 (UTC) Received: (qmail 58772 invoked by uid 500); 31 Mar 2016 14:16:32 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 58706 invoked by uid 500); 31 Mar 2016 14:16:31 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 58696 invoked by uid 99); 31 Mar 2016 14:16:31 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Mar 2016 14:16:31 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 6959E18052A for ; Thu, 31 Mar 2016 14:16:31 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.999 X-Spam-Level: X-Spam-Status: No, score=0.999 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id R8QYBTocwKQb for ; Thu, 31 Mar 2016 14:16:29 +0000 (UTC) Received: from eos.apache.org (eos.apache.org [140.211.11.131]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id A3CAA5F3F0 for ; Thu, 31 Mar 2016 14:16:28 +0000 (UTC) Received: from eos.apache.org (localhost [127.0.0.1]) by eos.apache.org (Postfix) with ESMTP id 53B661EE for ; Thu, 31 Mar 2016 14:16:26 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Apache Wiki To: Apache Wiki Date: Thu, 31 Mar 2016 14:16:26 -0000 Message-ID: <20160331141626.18240.26106@eos.apache.org> Subject: =?utf-8?q?=5BTomcat_Wiki=5D_Update_of_=22Security/Ciphers=22_by_markt?= Auto-Submitted: auto-generated Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for ch= ange notification. The "Security/Ciphers" page has been changed by markt: https://wiki.apache.org/tomcat/Security/Ciphers?action=3Ddiff&rev1=3D14&rev= 2=3D15 Comment: Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL int= o separate tables = There is no right choice since there are always trade-offs to make betwee= n better security better interoperability, better performance etc.. Where y= ou choose to draw that line is a choice you need to make. The following inf= ormation is provided to help you make that choice. The ratings provided are= those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL La= bs Test]]. Keep in mind that, as more vulnerabilities are discovered, these= ratings are only ever going to get worse over time. The results shown on t= his page were correct at the time they were generated. = - As of May 2015, 1024-bit DHE is [[https://www.schneier.com/blog/archives/= 2015/05/the_logjam_and_.html|considered]] [[https://weakdh.org/imperfect-fo= rward-secrecy.pdf|breakable]] by nation-state adversaries. 2048-bit DHE is = recommended. 2048-bit DHE may be configured with JSSE connectors (BIO, NIO,= NIO2) using JVM parameter, and for APR connector Apache Tomcat Native Libr= ary 1.2.2 (or later) should be used. + =3D=3D BIO/NIO/NIO2 with JSSE Results (Default) =3D=3D = - = - =3D=3D JSSE (BIO/NIO/NIO2) Results (Default) =3D=3D - = - || || Java 5 || Java 6 || Java 7 || Java 8 || + || || Java 5 || Java 6 || Java 7 || Java 8 || - || Tomcat 6 (JSSE) || C || C || C || B || + || Tomcat 6 || C || C || C || B || - || Tomcat 7 (JSSE) || N/A || C || C || B || + || Tomcat 7 || N/A || C || C || B || - || Tomcat 8 (JSSE) || N/A || N/A || A || A || + || Tomcat 8 || N/A || N/A || A || A || - || Tomcat 8 (APR/OpenSSL) || N/A || N/A || A || A || + || Tomcat 8.5 || N/A || N/A || A || A || - || Tomcat 8.5 (JSSE) || N/A || N/A || TBD || TBD || - || Tomcat 8.5 (JSSE/OpenSSL) || N/A || N/A || TBD || TBD || - || Tomcat 8.5 (APR/OpenSSL) || N/A || N/A || TBD || TBD || - || Tomcat 9 (JSSE) || N/A || N/A || N/A || A || + || Tomcat 9 || N/A || N/A || N/A || A || - || Tomcat 9 (JSSE/OpenSSL) || N/A || N/A || N/A || A || - || Tomcat 9 (APR/OpenSSL) || N/A || N/A || N/A || A || = Note: These results were obtained using the JCE Unlimited Strength Jurisd= iction Policy Files = + =3D=3D NIO/NIO2 with JSSE+OpenSSL Results (Default) =3D=3D + = + || || Java 5 || Java 6 || Java 7 || Java 8 || + || Tomcat 8.5 || N/A || N/A || A || A || + || Tomcat 9 || N/A || N/A || N/A || A || + = + = - Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-nati= ve release to achieve an A since, without it, the full certificate chain is= not presented to the client. + Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to = achieve an A since, without it, the full certificate chain is not presented= to the client. + = + The equivalent OpenSSL cipher configurations used to obtain the above res= ults are: + = + || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE || + || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA || + = + Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecur= e which is why those ciphers are excluded only for Java 7. + = + =3D=3D APR with OpenSSL Results (Default) =3D=3D + = + || || Java 5 || Java 6 || Java 7 || Java 8 || + || Tomcat 6 || TBD || TBD || TBD || TBD || + || Tomcat 7 || N/A || TBD || TBD || TBD || + || Tomcat 8 || N/A || N/A || A || A || + || Tomcat 8.5 || N/A || N/A || A || A || + || Tomcat 9 || N/A || N/A || N/A || A || + = + The OpenSSL cipher configuration used was '''HIGH:!aNULL:!eNULL:!EXPORT:!= DES:!RC4:!MD5:!kRSA'''. Up-to-date selection of secure cipher suites in Ope= nSSL format is available at [[https://wiki.mozilla.org/Security/Server_Side= _TLS|Mozilla wiki]]. + = = =3D=3D JSSE (BIO/NIO/NIO2) Results (Improved) =3D=3D = @@ -50, +68 @@ * Java 8 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_S= HA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_C= BC_SHA = - ''(It might be nice to provide the OpenSSL-style cipher suites arcana for= the versions of Tomcat that support it)'' - = =3D=3D Environment =3D=3D = The results above were generated with: @@ -62, +78 @@ * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disa= bled SSLv2 and SSLv3. * Apache Tomcat 7.0.60-dev, r1664373. * Apache Tomcat 8.0.34-dev, r1737224. - * Apache Tomcat 8.5.1-dev, r1737213. + * Apache Tomcat 8.5.1-dev, r1737241. * Apache Tomcat 9.0.0.M5-dev, r1737193. + * tc-native 1.2.5 = - =3D=3D APR/native =3D=3D - = - If APR/native connector is used (or if HTTPS connection is terminated at = a load balancer or reverse proxy utilizing the OpenSSL library), cipher sui= tes should be specified in [[https://www.openssl.org/docs/apps/ciphers.html= |OpenSSL format]]. Up-to-date selection of secure cipher suites is availabl= e at [[https://wiki.mozilla.org/Security/Server_Side_TLS|Mozilla wiki]]. -=20 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org