Hi All, Just to add to this, I also have had issues with testing SSL setups in non prod environments that are not exposed to the internet.
I've been using testssl.sh for some time now and it has met my needs. https://github.com/drwetter/testssl.sh There are other open source solutions for internal scanning with a web front end like SSL Decoder, but this script works well if you are comfortable in Linux. Cheers, Robert Sulliman -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: July 15, 2016 7:49 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: SSL/TLS and ciphers vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, On 7/14/16 9:22 PM, Christopher Schultz wrote: > Mark, > > On 7/14/16 4:14 PM, Mark Thomas wrote: >> On 14/07/2016 19:36, uzair rashid wrote: >>> Jeffrey, >>> >>> Working for a corporation that has strict ssl and security >>> requirements.. There is no way to use the tools you suggested, since >>> the tomcat URLs are not exposed. > >> That doesn't stop you setting up a stand-alone test instance using >> the same settings (with a different cert if you are especially >> paranoid) and checking those settings using the excellent ssllabs. > >> Keeping your Tomcat and JVM versions up to date will also help. >> The Tomcat team periodically reviews Tomcat's default TLS >> configuration and adjusts it accordingly. For details of the most >> recent review see: >> https://wiki.apache.org/tomcat/Security/Ciphers > > A few thoughts: > > [snip] > > 6. Qualys has a tool called ssllabs-scan available on GitHub: > https://github.com/ssllabs/ssllabs-scan/ > > [snip] > > The existence of the ssllabs-scan tool means it's also possible to > set-up automated periodic scanning of your own site(s). If you expect > to get an "A" rating and one day you aren't "A" quality any more, you > should get an alarm without having to remember to manually-run the > web-based tool when you get around to doing it. And of course, such a thing already exists: https://www.unixadm.org/nagios/check_sslscan This tool uses SSLLabs's online tool so it would be subject to the same restrictions as the web-based version (e.g. no internal hosts). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAleI6bYACgkQ9CaO5/Lv0PDDlgCgprkU2h++wmgOafv+mYsTwZOr iikAnRyy1gBncREDypbnvb7sk27fypid =Q6bW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
smime.p7s
Description: S/MIME cryptographic signature
