Joel, I reviewed the CoG code and don't see any way of configuring a list of allowed ciphers. On the server, in the Connector, if you added the attribute "encryption" and set it to true, none of the null ciphers should be used. Similarly on the client, enabling encryption disables all the null ciphers.
We'll modify the code to reuse the tomcat cipher configuration and add a hook for non-tomcat scenarios. Rachana > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joel Schneider > Sent: Monday, September 15, 2008 8:55 PM > To: [email protected] > Subject: [gt-user] configuring cipher usage (under Tomcat) > > For an instance of Java WS Core (4.0.8) running under Tomcat > (5.5.26), I'm > told a security scan recently reported the following two > "vulnerabilities": > > - SSL Server Supports Weak Encryption > The SSL server supports weak encryption keys, which are defined as > encryption keys of less than 128 bits. > > - SSL Server Allows Cleartext Communication (NULL Cipher Support) > The host is running an SSL server that supports the NULL cipher. > > This system currently utilizes only the GSITransport > authentication method, > part of which is implemented by a HTTPSConnector Connector > and HTTPSValve55 > Valve configured in Tomcat's server.xml file, as documented by the > "Deploying into Tomcat" section of the administrator's guide. > > If possible, I would like to alleviate any security worries > related to this by finding answers to questions such as the following. > > - Should we be concerned about these two "vulnerabilities"? Why, > or why not? > > - Is it possible to configure the ciphers accepted by GSI (and > Tomcat), to reject the use of "weak" ciphers? Documentation for > the <Connector> element in Tomcat's server.xml file mentions a > "ciphers" attribute, but I'm uncertain whether GSI's cipher usage > can/should be configured there. > > - Can use of the NULL cipher be disabled at the server level? What > consequences would that have? > > Best regards, > Joel >
