On 01/07/2016 08:03, Greg Beresnev wrote: > Thanks Daniel - any idea which cipher in particular needs to be absent in > order for the SHA-1-based connection/authentication was rejected/failed?
I recommend using SSLLabs to test your site. Also, the version of Java you use is important. See this page for details: https://wiki.apache.org/tomcat/Security/Ciphers Finally, if you want to limit client certificates, you could add a custom X509UsernameRetrieverClassName to your Realm and use that to drop and user certificates using SHA1. It isn't what that class was intended for but it should work. Mark > > regards, > Greg > > > On Fri, Jul 1, 2016 at 4:53 PM, Daniel Savard <daniel.sav...@gmail.com> > wrote: > >> 2016-06-30 23:05 GMT-04:00 Greg Beresnev <russiande...@gmail.com>: >> >>> Hi, >>> >>> We're in the process of updating our web application to stop using SHA-1 >>> certificates and I was wondering if there was some way to configure >> Tomcat >>> (we're on version 7.0.39 - yes, I know, we are pretty old-school and >> should >>> get with the times) to either throw errors or at least log warnings for >> the >>> cases where connection/authentication attempt is being made using SHA-1 >>> certificate? >>> >> >> No. >> >> However, you can select the accepted ciphers to reject anything that >> doesn't meet your standards. >> >> ----------------- >> Daniel Savard >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
