how do I block weak ciphers on Tomcat 4.1.31
I have extensively searched the web, but I can't find a definitive answer on this. Here's the situation. I have tomcat 4.1.31 with Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_15-b04), running on a Solaris 8 box. Due to custom production apps we can not upgrade tomcat at this time (the transition to tomcat 6 is in progress but not yet completed). Our security scanner is reporting the following weak ciphers on the port we use for tomcat. EXP-DES-CBC-SHA Weak Security EXP-RC4-MD5 Weak Security DES-CBC-SHA Weak Security The list of ciphers I have configured in servers.xml is ciphers=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W ITH_3DES_EDE_CBC_SHA as you can see none of the weak ciphers detected by the scanner are listed in the servers.xml. The question is how do I block these weak ciphers and is it possible that an application other than tomcat might be providing/serving these ciphers (such as a java certificate etc.) on the port used by tomcat. Thanks for any help you can provide. Zahid * The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. *
Re: how do I block weak ciphers on Tomcat 4.1.31
Naqvi Zahid - znaqvi wrote: I have extensively searched the web, but I can't find a definitive answer on this. Here's the situation. You'll need 4.1.32 onwards for the ciphers option work. If you are worried about this, then there are plenty of other things to worry about (http://tomcat.apache.org/security-4.html) and an upgrade to 4.1.37 is probably in order. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: how do I block weak ciphers on Tomcat 4.1.31
Thanks Mar, I think it makes a lot of sense. I know that we have to upgrade but can't do it until all the scripts and production stuff is moved over to TC6. Thanks for the pointer I will try the upgrade to TC4.1.32 so that the ciphers option starts to work. -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 13, 2008 1:19 PM To: Tomcat Users List Subject: Re: how do I block weak ciphers on Tomcat 4.1.31 Naqvi Zahid - znaqvi wrote: I have extensively searched the web, but I can't find a definitive answer on this. Here's the situation. You'll need 4.1.32 onwards for the ciphers option work. If you are worried about this, then there are plenty of other things to worry about (http://tomcat.apache.org/security-4.html) and an upgrade to 4.1.37 is probably in order. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. * - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
