I've been using Tomcat as a stand-alone web server for years. Last year, I started testing my site here: https://www.ssllabs.com/ssltest
I notice that there are only 3 fully secure cipher-suites left (there were 6 left 2 months ago). Also, I only get an A, not an A+ due to "TLS_FALLBACK_SCSV not supported." According to this: https://bz.apache.org/bugzilla/show_bug.cgi?id=57464 my issue is that I need openssl version 1.0.1j. I just downloaded and built my openssl 1.02 from the latest sources and installed it. As tomcat, (or root) I can now see the new version: openssl version OpenSSL 1.0.2a 19 Mar 2015 I stopped and started Tomcat, ran the ssllabs test, and got EXACTLY the same result I had with the old version of openssl. I think it must use some Java cryptography libraries instead. So the cipher-suites Tomcat supports are tied to the version of Java I have installed, not the version of OpenSSL (even though a lot of the configuration syntax is identical). I think that most people run apache-httpd and let it handle encryption, serving static files, and a whole bunch of other stuff, then they run Tomcat behind it, or within it, as a kind of plug-in, or extra. I've always avoided that because there are whole books about how to configure apache-httpd securely. It's one more thing to update, maintain, etc. Is it worth it? I'm aware of a "tomcat native" that uses it's own openssl version, but I've never tried it, nor do I know anyone who uses it. Of course, that's a new thing to learn, but presumably, it's tied to the regular Tomcat, so they don't have to be upgraded separately. Thoughts? -- Glen K. Peterson (828) 393-0081 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
