Hello Chris,
We are using Tomcat version: 6.0.36.0
JRE 1.6.0
Do you think I need to change the settings to the following:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150"
SSLEnabled="true"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
SSLProtocol="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
keystorePass="password"
keystoreFile="/otex/tomcat/.keystore"/>
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->
<Connector port="443" protocol="HTTP/1.1"
maxThreads="150"
SSLEnabled="true"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
SSLProtocol="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
keystorePass="password"
keystoreFile="/otex/tomcat/.keystore"/>
Really look forward to your expertise on this.
Thank you
On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Uzair,
>
> On 7/14/16 10:12 AM, uzair rashid wrote:
> > Running Tomcat 6.x
>
> Which one exactly?
>
> > and every week during vulnerability scans we are having the
> > following results:
> >
> > Vulnerability References:
> >
> > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability
> >
> > Impact: Exploitation allows an attacker to bypass security
> > restrictions on the targeted host. Solution: Disable RSA_EXPORT
> > cipher suites. Do not use temporary RSA key multiple times
> > Result: #table cols=2 Public key source key size Public key in
> > certificate 2048(bits) Temporary RSA key 512(bits)
> >
> > [snip]
> >
> > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> > <Connector port="8443" protocol="HTTP/1.1" maxThreads="150"
> > SSLEnabled="true" minSpareThreads="25" enableLookups="false"
> > disableUploadTimeout="true" acceptCount="100" scheme="https"
> > secure="true" clientAuth="false" sslProtocol="TLS"
> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
> 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES
> _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
> A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
> >
> >
> SSLCipherSuite="!EXPORT"
>
> Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and
> SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be
> good.
>
> What version of Java are you using?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL
> jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY
> =X5B9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
