-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All,
On 7/14/16 9:22 PM, Christopher Schultz wrote: > Mark, > > On 7/14/16 4:14 PM, Mark Thomas wrote: >> On 14/07/2016 19:36, uzair rashid wrote: >>> Jeffrey, >>> >>> Working for a corporation that has strict ssl and security >>> requirements.. There is no way to use the tools you suggested, >>> since the tomcat URLs are not exposed. > >> That doesn't stop you setting up a stand-alone test instance >> using the same settings (with a different cert if you are >> especially paranoid) and checking those settings using the >> excellent ssllabs. > >> Keeping your Tomcat and JVM versions up to date will also help. >> The Tomcat team periodically reviews Tomcat's default TLS >> configuration and adjusts it accordingly. For details of the >> most recent review see: >> https://wiki.apache.org/tomcat/Security/Ciphers > > A few thoughts: > > [snip] > > 6. Qualys has a tool called ssllabs-scan available on GitHub: > https://github.com/ssllabs/ssllabs-scan/ > > [snip] > > The existence of the ssllabs-scan tool means it's also possible to > set-up automated periodic scanning of your own site(s). If you > expect to get an "A" rating and one day you aren't "A" quality any > more, you should get an alarm without having to remember to > manually-run the web-based tool when you get around to doing it. And of course, such a thing already exists: https://www.unixadm.org/nagios/check_sslscan This tool uses SSLLabs's online tool so it would be subject to the same restrictions as the web-based version (e.g. no internal hosts). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAleI6bYACgkQ9CaO5/Lv0PDDlgCgprkU2h++wmgOafv+mYsTwZOr iikAnRyy1gBncREDypbnvb7sk27fypid =Q6bW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
