Christopher,
Peter Kreuser
> Am 10.10.2017 um 00:14 schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> James,
>
>> On 10/9/17 5:19 PM, Christopher Schultz wrote:
>>> On 10/6/17 6:34 PM, James H. H. Lampert wrote:
>>> Noting that my connector tag is written using Tomcat 7 connector
>>> syntax, is there a good example of how to code a ciphers clause
>>> for that tag?
>>
>> Tomcat 8.5+ and 9.0+ can do it... but nobody has written a
>> command-line tool around that capability. (I could have sworn such
>> a tool existed already. I guess I'll write one.)
>
> Okay, it's in Tomcat 9, now. Grab Tomcat 9 trunk, build it ("ant
> deploy"), then run:
>
> $ output/build/bin/ciphers.sh [cipherspec]
>
> where "cipherspec" is an OpenSSL-style cipher suite spec, like:
>
> $ output/build/bin/ciphers.sh 'DEFAULT'
>
> This gives you the JVM's current default, and dumps-out all of the
> IANA-style cipher suite names. So if you want to add one cipher suite
> to the default Java suites, just do this:
>
> $ output/build/bin/ciphers.sh 'DEFAULT'
>
> and then add this to the end:
>
> TLS_RSA_WITH_AES_256_CBC_SHA
>
> (Unless TLS_RSA_WITH_AES_256_CBC_SHA is already present in the list.)
>
> Note that the "DEFAULT" list has a bunch of junk you don't need.
> Specifically, you can probably get rid of all of these things with no
> ill effects, and your configuration will "look" simpler:
>
> $ ./bin/ciphers.sh '!PSK:!aNULL:!DSA:!SRP:!DSS:HIGH'
A good read on the appropriate (openssl) cipher string that I use can be found
here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
Hynek explains the whys and don'ts and updates the string on a regular basis!
HTH
Peter
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb9NkdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFisoA//bj9GFzlMaZdPYXHt
> y2iQIToESUg6Wa8vU5lQscLDfqtXeAIawiXusILz/th1fCu1usy8HeC/5nBINXAQ
> McbEUSRiq6YitPXDIwXqbOGZS76vxmheFPTst6gHCN6hNOYbFEbejK3cxX8s0Bbg
> kXtqcrnnN+a+J5UZmFeB3tctQfwsVLyGcvcwzDRTjFCIjrD1CwdEd+Ckk740jCFU
> HXgEewO6rVnxAx80hP2c9ztsHblNt0KFm4zMtWjxmHTigac1EEA1ZAi5P3nIJu5n
> 7HIw0jVX3qZHamVHXWSPb7skEZY/wj7Kko8XmJFWS0bbwuaTQJ+Pr8ZJPT145/Tb
> F0w6PqPqiR9sre7Yvy4v9y/QOqFjujEqMzkTNedRaBEItmzELPkYBBms2b2bkIVj
> bMptV5FidCthzvJAnQ5efuiG9qYCuHajNEjQM4Mhu0t95yolmh4+yD2yxA4sS35W
> YPxy24tgY9A2nNpJS+QSWtCzkQBJz+0Uxnw8y3AbW2oRkA649i+9+KppSAqCx7kH
> QYUSwTD+7aETlVthfANEr5D/MbzJbflhTjXl/bZjuEc2p1tWPxZrqC+E8FwniMLL
> NYwK4rMDrSZfrgY7mn6uPcTxzEIMTj/KvtaZCFY1GRAlAf16vNVlnCHQzMvlYKGW
> gtqS2tF9DBurCs65qocxtWLAQwU=
> =bEIh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
