-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Uzair,
On 7/14/16 11:04 PM, uzair rashid wrote: > Hello Chris, > > We are using Tomcat version: 6.0.36.0 > > JRE 1.6.0 Java 1.6 does not support TLSv1.1 or TLSv1.2, so you won't be able to get those to work. Also, Java 1.6 does not support DH primes larger than 1024-bit, which have somewhat recently been determined to be weak [https://weakdh.org/]. I strongly urge you to upgrade your Java version. Even Java 1.7 has been EOL'd in favor of Java 1.8. > Do you think I need to change the settings to the following: > <Connector port="8443" protocol="HTTP/1.1" > SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" This > is confusing to me because SSLProtocol is expected to control the allowed protocols when using the tcnative+OpenSSL library, but the "ciphers" is intended to set the ciphers being used with JSSE (which is the opposite of OpenSSL). I think you want SSLProtocol + SSLCipherSuite (for tcnative/OpenSSL[1]) or sslEnabledProtocols + ciphers (for JSSE[2]). > <Connector port="443" protocol="HTTP/1.1" > SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_ 128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES _256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" Same > issue here. It's important to know which connector is actually being used. Can you post the part of your catalina.log file which shows exactly which connector has been chosen for HTTP/1.1 at runtime? It will either be the APR connector (which is tcnative/OpenSSL) or the BIO or NIO connector (which both use JSSE). The FREAK issue is with EXPORT ciphers being available at all. Your "ciphers" list above does not have any EXPORT ciphers mentioned, but if you are using OpenSSL, then you are getting the default list of ciphers, which, depending upon your environment, might still include the m. Try something simple like adding this: SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" SSLCipherSuite="!EXPORT:HIGH" ... and see if that improves things. Have a look at the Tomcat Ciphers reference[3] which includes some recommendations for what "SSLCipherSuite" can be set to in order to improve your security. Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS [2] http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support [3] https://wiki.apache.org/tomcat/Security/Ciphers -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAleSfDMACgkQ9CaO5/Lv0PCa6QCfdxIBPzRLhI6L3ujqcvP8GSxF 6p4An13L/BK+s5Dxs4gXUhx4AlsaJODK =J/ZW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
