Hello Chris, We are using Tomcat version: 6.0.36.0
JRE 1.6.0 Do you think I need to change the settings to the following: <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="/otex/tomcat/.keystore"/> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 --> <Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" keystoreFile="/otex/tomcat/.keystore"/> Really look forward to your expertise on this. Thank you On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Uzair, > > On 7/14/16 10:12 AM, uzair rashid wrote: > > Running Tomcat 6.x > > Which one exactly? > > > and every week during vulnerability scans we are having the > > following results: > > > > Vulnerability References: > > > > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability > > > > Impact: Exploitation allows an attacker to bypass security > > restrictions on the targeted host. Solution: Disable RSA_EXPORT > > cipher suites. Do not use temporary RSA key multiple times > > Result: #table cols=2 Public key source key size Public key in > > certificate 2048(bits) Temporary RSA key 512(bits) > > > > [snip] > > > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > > <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" > > SSLEnabled="true" minSpareThreads="25" enableLookups="false" > > disableUploadTimeout="true" acceptCount="100" scheme="https" > > secure="true" clientAuth="false" sslProtocol="TLS" > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_ > 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES > _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH > A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" > > > > > SSLCipherSuite="!EXPORT" > > Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and > SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be > good. > > What version of Java are you using? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL > jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY > =X5B9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >