-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uzair,
On 7/14/16 10:12 AM, uzair rashid wrote: > Running Tomcat 6.x Which one exactly? > and every week during vulnerability scans we are having the > following results: > > Vulnerability References: > > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability > > Impact: Exploitation allows an attacker to bypass security > restrictions on the targeted host. Solution: Disable RSA_EXPORT > cipher suites. Do not use temporary RSA key multiple times > Result: #table cols=2 Public key source key size Public key in > certificate 2048(bits) Temporary RSA key 512(bits) > > [snip] > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" > SSLEnabled="true" minSpareThreads="25" enableLookups="false" > disableUploadTimeout="true" acceptCount="100" scheme="https" > secure="true" clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" > > SSLCipherSuite="!EXPORT" Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be good. What version of Java are you using? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY =X5B9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
