2013/1/10 Baron Fujimoto <ba...@hawaii.edu>: > On Wed, Jan 09, 2013 at 01:08:01PM +0400, Konstantin Kolinko wrote: >>2013/1/9 Baron Fujimoto <ba...@hawaii.edu>: >>> I'm attempting to mitigate BEAST (CVE-2011-3389) attacks on Tomcat 6.0.35. >>> My understanding is that the attack applies only to CBC ciphers, and that >>> RC4 ciphers are not vulnerable, so I am attempting to restrict the set of >>> ciphers that Tomcat uses with the following config for a connector: >>> >>> <Connector protocol="HTTP/1.1" SSLEnabled="true" >>> address="0.0.0.0" >>> port="8443" >>> maxThreads="150" scheme="https" secure="true" >>> keystoreFile="/path/to/keystore" >>> keystoreType="pkcs12" >>> ciphers="TLS_RSA_WITH_RC4_128_SHA, >>> TLS_RSA_WITH_RC4_128_MD5, >>> SSL_CK_RC4_128_WITH_MD5" >>> clientAuth="false" sslProtocol="TLS" /> >>>(...) >>> >> >>As can be seen from your usage of "keystoreType" attribute, you are >>using Java implementation of the Connector, not openssl/APR one. >> >>You should look into Java documentation for their cipher names. >> >>See this thread from October 2009: >>http://markmail.org/message/zn4namfhypyxum23 > > Ahh, that was it! It did not occur to me that OpenSSL and Java might > name the ciphers differently. If I restrict the ciphers to those > from the (differently named) set used by Java, it works as expected. > Mahalo! > > ciphers="SSL_RSA_WITH_RC4_128_MD5, > SSL_RSA_WITH_RC4_128_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_RC4_128_SHA" >
Good. I used your example to create a FAQ page, http://wiki.apache.org/tomcat/HowTo/SSLCiphers Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
