Hello Christopher, Did you or anyone have a gauge on how we might fix this?
Thank you! On Thu, Jul 14, 2016 at 8:04 PM, uzair rashid <uzairrashi...@gmail.com> wrote: > Hello Chris, > > We are using Tomcat version: 6.0.36.0 > > JRE 1.6.0 > > Do you think I need to change the settings to the following: > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> > > <Connector port="8443" protocol="HTTP/1.1" > > maxThreads="150" > > SSLEnabled="true" > > minSpareThreads="25" > > enableLookups="false" > > disableUploadTimeout="true" > > acceptCount="100" > > scheme="https" > > secure="true" > > clientAuth="false" > > SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" > > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" > > keystorePass="password" > > keystoreFile="/otex/tomcat/.keystore"/> > > > > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 --> > > <Connector port="443" protocol="HTTP/1.1" > > maxThreads="150" > > SSLEnabled="true" > > minSpareThreads="25" > > enableLookups="false" > > disableUploadTimeout="true" > > acceptCount="100" > > scheme="https" > > secure="true" > > clientAuth="false" > > SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" > > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" > > keystorePass="password" > > keystoreFile="/otex/tomcat/.keystore"/> > > > > Really look forward to your expertise on this. > > > Thank you > > > > > > On Thu, Jul 14, 2016 at 7:07 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Uzair, >> >> On 7/14/16 10:12 AM, uzair rashid wrote: >> > Running Tomcat 6.x >> >> Which one exactly? >> >> > and every week during vulnerability scans we are having the >> > following results: >> > >> > Vulnerability References: >> > >> > SSL/TLS Server Factoring RSA Export Keys (FREAK) vulnerability >> > >> > Impact: Exploitation allows an attacker to bypass security >> > restrictions on the targeted host. Solution: Disable RSA_EXPORT >> > cipher suites. Do not use temporary RSA key multiple times >> > Result: #table cols=2 Public key source key size Public key in >> > certificate 2048(bits) Temporary RSA key 512(bits) >> > >> > [snip] >> > >> > <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> >> > <Connector port="8443" protocol="HTTP/1.1" maxThreads="150" >> > SSLEnabled="true" minSpareThreads="25" enableLookups="false" >> > disableUploadTimeout="true" acceptCount="100" scheme="https" >> > secure="true" clientAuth="false" sslProtocol="TLS" >> > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >> > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_ >> 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES >> _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH >> A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" >> > >> > >> SSLCipherSuite="!EXPORT" >> >> Are you using tcnative+APR+OpenSSL or JSSE? "ciphers" is for JSSE and >> SSLCipherSuite is for tcnative+APR+OpenSSL. Either case you should be >> good. >> >> What version of Java are you using? >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iEYEARECAAYFAleIRXsACgkQ9CaO5/Lv0PDuxwCgnlmNaVSkDH4bEHXFEsWcwVxL >> jsYAoLPDf4y6FI0Np/DVPDxL6ijVkhgY >> =X5B9 >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
