On 13/11/2014 02:58, Glen Peterson wrote: > Tomcat has been one of my favorite pieces of software for about a > decade. Thanks to all your generous contributions it just keeps > getting better! I appreciate the focus on security in Tomcat 8. > > Suggestion: > ========= > Instead of specifying allowed ciphers in the Connector node of > server.xml, I'd like to specify dis-allowed/excluced ciphers so that > as new, better cipher suites become available we won't have to do > anything. Maybe an "excludeCiphers" attribute?
You should be able to do this already in Tomcat 8 if you use the OpenSSl syntax. Mark > > Background: > ========= > We're getting an 'A' on the Qualys TLS test with stand-alone Tomcat, > which is pretty cool: > https://www.ssllabs.com/ssltest/index.html > > Mostly, that's because of the following settings (in case this helps anyone): > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" > scheme="https" secure="true" > clientAuth="false" > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > compression="on" disableUploadTimeout="true" > connectionTimeout="180000" > URIEncoding="UTF-8" > keystorePass="notTheRealPassword" > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" /> > > It seems like just a few years ago there were about 50 cipher suites > to choose from. Now there are 12 that work with TLS. Eight of those > have Forward Security (the 8 listed above). Presumably those eight > will also become outdated over time and new ones will be added to > replace them. The problem with specifying ciphers as above is that > someone will have to know when and how to manually update the cipher > list. > > With each upgrade of Java, we need to remember to do something like > the following: > > - Delete the ciphers attribute > - Restart tomcat > - Test here: https://www.ssllabs.com/ssltest/index.html > - Copy the list of cipher suites > - Delete any that don't support Forward Security > - Make a new ciphers attribute. > - Verify that the browsers and devices we support will still work. > > To be honest, I'm not sure if that needs to be done with each Java > patch release, or only when Java 9 comes out. If instead of > specifying valid ciphers, I specified invalid ones, then the new ones > would just flow through the system and become available without me > doing anything! > > Thank you in advance for considering this suggestion. > > @GlenKPeterson > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
