On 8/29/2015 12:58 PM, George Sexton wrote:
On 8/25/2015 12:01 AM, Nikitha Benny wrote:
Hi All,
I am using Tomcat version 7.00.062 supported on JRE 8u45.
How do i disable the LogJam Vulnerability?
Here's a pretty nice article:
https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/
Here's the configuration I created using that article as a base:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="50"
scheme="https"
secure="true"
connectionTimeout="4000"
disableUploadTimeout="false"
connectionUploadTimeout="900000"
maxPostSize="10485760"
keystoreFile="${catalina.base}/conf/.keystore"
keyAlias="tomcat"
clientAuth="false"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA" />
It's giving me an A on SSLLabs
There's an updated connector configuration near the end.
I have added a line in the java.security file of the JRE.
jdk.tls.disabledAlgorithms=DH
Is this good enough? Or do we need to add DiffieHelmann also?
jdk.tls.disabledAlgorithms=DH, DiffieHellman
A good thing is testing using a service. Here's a link:
https://www.ssllabs.com/ssltest/
Which one solves the issue of LogJam?
Kindly help.
Regards,
Nikitha
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
