OS: Linux i386 2.6.18-404.el5 Java: Oracle Corporation Java HotSpot(TM) Server VM 1.8.0_45 Tomcat: Apache Tomcat/8.0.21
On Wed, May 20, 2015 at 7:12 PM, Glen Peterson <g...@organicdesign.org> wrote: > I've been using Tomcat as a stand-alone web server for years. Last > year, I started testing my site here: > https://www.ssllabs.com/ssltest > > I notice that there are only 3 fully secure cipher-suites left (there > were 6 left 2 months ago). Also, I only get an A, not an A+ due to > "TLS_FALLBACK_SCSV not supported." > > According to this: > https://bz.apache.org/bugzilla/show_bug.cgi?id=57464 > > my issue is that I need openssl version 1.0.1j. > > I just downloaded and built my openssl 1.02 from the latest sources > and installed it. As tomcat, (or root) I can now see the new version: > openssl version > OpenSSL 1.0.2a 19 Mar 2015 > > I stopped and started Tomcat, ran the ssllabs test, and got EXACTLY > the same result I had with the old version of openssl. I think it > must use some Java cryptography libraries instead. So the > cipher-suites Tomcat supports are tied to the version of Java I have > installed, not the version of OpenSSL (even though a lot of the > configuration syntax is identical). > > I think that most people run apache-httpd and let it handle > encryption, serving static files, and a whole bunch of other stuff, > then they run Tomcat behind it, or within it, as a kind of plug-in, or > extra. I've always avoided that because there are whole books about > how to configure apache-httpd securely. It's one more thing to > update, maintain, etc. Is it worth it? > > I'm aware of a "tomcat native" that uses it's own openssl version, but > I've never tried it, nor do I know anyone who uses it. Of course, > that's a new thing to learn, but presumably, it's tied to the regular > Tomcat, so they don't have to be upgraded separately. > > Thoughts? > > -- > Glen K. Peterson > (828) 393-0081 -- Glen K. Peterson (828) 393-0081 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org