On 06/11/2015 02:35 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Arthur,
On 6/11/15 2:14 PM, Arthur Ramsey wrote:
Is anyone aware of a way to mitigate the Logjam attack with tomcat
7 and java 7?
Disable DHE_EXPORT on the server?
I believe I have, but Qualys SSL Server Test still fails me on the
Logjam check.
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
I use tcnative and openssl-1.0.2a both compiled from source in
production today, but I would be open to JSSE too. I believe I
need Java 8 to mitigate CVE-2015-4000 with JSSE.
Why?
See
http://stackoverflow.com/questions/30352105/how-to-set-custom-dh-group-in-java-sslengine-to-prevent-logjam-attack
I don't see anyway to use a unique 2048-bit or greater DH group
with tcnative currently.
I believe you are correct; there is a bug in BZ:
https://bz.apache.org/bugzilla/show_bug.cgi?id=56108
It looks like 1.1.34 will have this feature. You can build the current
trunk of the 1.1 branch and probably be okay.
Thanks, I'll give it a try. Scary to use in production, but it may be
my best answer.
I'm not sure if there is anything I can do at compile time. I'd
rather not change the cipher suites as I want to maintain browser
support.
You should disable EXPORT certificates no matter what. Or were you
talking about the DH parameters?
I was talking about DH parameters.
My server configuration passed the Qualys SSL Server Test with
flying colors until Logjam, so I would be worried about regressions
on other security fixes if I used JSSE.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVeeL0AAoJEBzwKT+lPKRYkJQQAIyplWF0F65zvlzuQTrsFYPC
Ioh+w4ddwalB1OFzaxGjnulwN9eO91iudqFiZyFpZnh7jV8GOJCQVO5whbBIXvQm
l4RUispklWXNh2ClFfkW2YoXwfZPBhk4um5oVo2KHN7wf3F9AhvA/oz3Ecm2WUdg
lQ7q4+WapZknWS6YdxwMzG7Jl7k6gGgnhfe6SmtEYMDKE8ktTcyAjpHX+NhXXC+e
iCiZ0+DH1lYmUIHdVJu2FIgdui0CVecArJ9ufniiIpbYOnjWFxu+IZGlBuTgoAHg
8Lu7koGDOOnagSdJ6DNJeEyniRVPA61zcKRIqB1IWJJzgZVIpo8/wF4r9jGFIH3b
x+3cqqSiDLppHar48ENIGbqYRCwybRCiJu3SvKLJ/zRs51ybxKbSXOondPWqIRD/
rbLQN6Z/2nQUeSp7A7iKGQj1CqFSDp5IFBqwvP4A9xWFbqCbwOWUfKhgM8UrToLN
DRbtjdpGZvA0lJqxmR9nKWn9K9nNRcViI2wlcDOB22RFjz2S+fUToylf8utUJbW0
MJ5GdqnPYMp3r0NajnWaY8z1POneaqnLHnW5xnhLA2UgDBoClUA2Xe/UmU+ngUT3
OOJDb52+Xr3V+JvsDuK6cgoHTM7X+2i3+75acigwMyPYO34hA1uanVhx7XTvheqA
XkCixeOIXgynHCDcWYDc
=Lycq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Thanks,
Arthur
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
