On Thu, Mar 26, 2015 at 10:42 AM, David kerber <dcker...@verizon.net> wrote:
> On 3/26/2015 1:30 PM, Egor Philippov wrote: > >> Hi, >> >> We're serving our web and API content using Tomcat 8.0.20 using an HTTPs >> connector that looks something like: >> *<Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol"* >> * maxThreads="200" SSLEnabled="true" scheme="https" >> clientAuth="false" sslProtocol="TLS"* >> * compression="on" useSendfile="false" >> compressableMimeType="text,application" >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" * >> * keystoreFile="C:\ProgramData\Absolute >> Software\AmWebApiData\certificates\AmWebAdmin.jks" >> keystorePass="password"* >> * ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_ >> CBC_SHA384, >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, >> TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_ >> CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, >> TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />* >> >> Everything is working fine except Chrome ( v 41.0 ) is reporting our app >> as >> using 'obsolete cryptography' ( as seen in http://imgur.com/WoOLDRH ). >> According to the Chromium docs ( >> https://www.chromium.org/Home/chromium-security/education/ >> tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome >> ), >> this is very likely because of SHA-1 being used for "message >> authentication". I've noticed the same type of warning message reported >> for >> virtually any Apache hosted site ( ex. https://tomcat.apache.org/ >> index.html >> , https://www.apache.org/ ). Anyone familiar with the warning or know >> whether it represents a real security problem? >> > > I'm no expert on this, but I think it's because you still have at least > one SSL cipher supported (the last one in the list). > > What version of Java running behind it? > We're running Java 7. We originally didn't have the cipher list in the connector, but I've added it yesterday when trying to figure out this Chrome warning. The ciphers were added as per https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html Originally the connector was configured like: *<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"* * maxThreads="200" SSLEnabled="true" scheme="https" clientAuth="false" sslProtocol="TLS"* * compression="on" useSendfile="false" compressableMimeType="text,application"* * keystoreFile="C:\ProgramData\Absolute Software\AmWebApiData\certificates\AmWebAdmin.jks" keystorePass="password" />* with the same result.
