Christopher,
Peter Kreuser > Am 10.10.2017 um 00:14 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > James, > >> On 10/9/17 5:19 PM, Christopher Schultz wrote: >>> On 10/6/17 6:34 PM, James H. H. Lampert wrote: >>> Noting that my connector tag is written using Tomcat 7 connector >>> syntax, is there a good example of how to code a ciphers clause >>> for that tag? >> >> Tomcat 8.5+ and 9.0+ can do it... but nobody has written a >> command-line tool around that capability. (I could have sworn such >> a tool existed already. I guess I'll write one.) > > Okay, it's in Tomcat 9, now. Grab Tomcat 9 trunk, build it ("ant > deploy"), then run: > > $ output/build/bin/ciphers.sh [cipherspec] > > where "cipherspec" is an OpenSSL-style cipher suite spec, like: > > $ output/build/bin/ciphers.sh 'DEFAULT' > > This gives you the JVM's current default, and dumps-out all of the > IANA-style cipher suite names. So if you want to add one cipher suite > to the default Java suites, just do this: > > $ output/build/bin/ciphers.sh 'DEFAULT' > > and then add this to the end: > > TLS_RSA_WITH_AES_256_CBC_SHA > > (Unless TLS_RSA_WITH_AES_256_CBC_SHA is already present in the list.) > > Note that the "DEFAULT" list has a bunch of junk you don't need. > Specifically, you can probably get rid of all of these things with no > ill effects, and your configuration will "look" simpler: > > $ ./bin/ciphers.sh '!PSK:!aNULL:!DSA:!SRP:!DSS:HIGH' A good read on the appropriate (openssl) cipher string that I use can be found here: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ Hynek explains the whys and don'ts and updates the string on a regular basis! HTH Peter > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb9NkdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFisoA//bj9GFzlMaZdPYXHt > y2iQIToESUg6Wa8vU5lQscLDfqtXeAIawiXusILz/th1fCu1usy8HeC/5nBINXAQ > McbEUSRiq6YitPXDIwXqbOGZS76vxmheFPTst6gHCN6hNOYbFEbejK3cxX8s0Bbg > kXtqcrnnN+a+J5UZmFeB3tctQfwsVLyGcvcwzDRTjFCIjrD1CwdEd+Ckk740jCFU > HXgEewO6rVnxAx80hP2c9ztsHblNt0KFm4zMtWjxmHTigac1EEA1ZAi5P3nIJu5n > 7HIw0jVX3qZHamVHXWSPb7skEZY/wj7Kko8XmJFWS0bbwuaTQJ+Pr8ZJPT145/Tb > F0w6PqPqiR9sre7Yvy4v9y/QOqFjujEqMzkTNedRaBEItmzELPkYBBms2b2bkIVj > bMptV5FidCthzvJAnQ5efuiG9qYCuHajNEjQM4Mhu0t95yolmh4+yD2yxA4sS35W > YPxy24tgY9A2nNpJS+QSWtCzkQBJz+0Uxnw8y3AbW2oRkA649i+9+KppSAqCx7kH > QYUSwTD+7aETlVthfANEr5D/MbzJbflhTjXl/bZjuEc2p1tWPxZrqC+E8FwniMLL > NYwK4rMDrSZfrgY7mn6uPcTxzEIMTj/KvtaZCFY1GRAlAf16vNVlnCHQzMvlYKGW > gtqS2tF9DBurCs65qocxtWLAQwU= > =bEIh > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >