On 27/07/2016 17:01, James H. H. Lampert wrote: > I was just forwarded a vulnerability report from one of our customers, > who is on 7.0.67 (as are we), with Java SSL, not OpenSSL (again, as are > we). The gist of it is below. > >> SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (CVE-2015-4000) > >> SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK) >> (CVE-2015-0204) > >> SSL/TLS EXPORT_DHE <= 512-bit Export Cipher Suites Supported (Logjam) >> (CVE-2015-4000) > > Can anybody tell me what I'm looking at, and what to do about it?
The server is configured to use weak ciphers. Your options will depend on JVM version. If you are running on Java 6 then there is only so much you can do before a JVM upgrade is required. Take a look at this: http://wiki.apache.org/tomcat/Security/Ciphers and take advantage of the excellent SSL Labs test site. Note the results on the Wiki are the defaults with 7.0.69 which will be better than the defaults for 7.0.67. You should be able to achieve the same results with 7.0.67 by specifying specific ciphers. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org