Hi, We're serving our web and API content using Tomcat 8.0.20 using an HTTPs connector that looks something like: *<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"* * maxThreads="200" SSLEnabled="true" scheme="https" clientAuth="false" sslProtocol="TLS"* * compression="on" useSendfile="false" compressableMimeType="text,application" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" * * keystoreFile="C:\ProgramData\Absolute Software\AmWebApiData\certificates\AmWebAdmin.jks" keystorePass="password"* * ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />*
Everything is working fine except Chrome ( v 41.0 ) is reporting our app as using 'obsolete cryptography' ( as seen in http://imgur.com/WoOLDRH ). According to the Chromium docs ( https://www.chromium.org/Home/chromium-security/education/tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome ), this is very likely because of SHA-1 being used for "message authentication". I've noticed the same type of warning message reported for virtually any Apache hosted site ( ex. https://tomcat.apache.org/index.html , https://www.apache.org/ ). Anyone familiar with the warning or know whether it represents a real security problem? - Egor
