-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Glen,
On 11/13/14 11:43 AM, Glen Peterson wrote: > Thank you Mark - that works great! That feature suggestion is not > needed after all. > > I found two places where the Tomcat 8 documentation could be more > helpful. I would be happy to do the following updates if I'm > allowed: > > 1. I didn't see "ciphers" on this page at all (maybe it should be > renamed TLS-howto in a post-POODLE world?): > http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html > > 2. The "ciphers" section here doesn't mention that it accepts the > OpenSSL syntax: > http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html > > This page has a helpful description of the syntax (what I used to > learn it today): https://www.openssl.org/docs/apps/ciphers.html > > If you like the ciphers element below, you are welcome to paste it > in the docs. Patches are always welcome, including patches to the documentation. Let me know if you'd like to provide one, and I can give you instructions (they are pretty simple). > For anyone interested, this is what I ended up with: > > ciphers="ALL:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!3DES:!TLS_RSA_WITH_AES_128_CBC_SHA256:!TLS_RSA_WITH_AES_128_CBC_SHA:!TLS_RSA_WITH_AES_128_GCM_SHA256:@STRENGTH" > > Maybe someone more familiar with OpenSSL options could do better, > but this is working and should be forward-compatible because it > eliminates weaker ciphers without specifying which stronger ones to > use. Note that without specifying @STRENGTH (which means to sort > in decreasing order by strength), nmap couldn't find > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 but Qualys did, so sorting > seems to have some effect for certain clients. Even sorted like > this, Qualys still reports that, "the server has no preference." I don't believe JSSE has the ability for the server to specify a preferred cipher order like tcnative/APR/OpenSSL do with "SSLHonorCipherOrder". http://serverfault.com/questions/316313/control-ssl-cipher-priority-order-for-tomcat-to-avoid-beast-attack > Also note, that the new configuration doesn't support IE8 on > Windows XP, but we currently support IE8/Vista and forward. Qualys > says IE7 on Vista still works, so presumably IE8 would work there > too. IE8 on Windows XP should work as long as the proper TLS protocols have been enabled. I believe Qualys is talking about a "default configuration" of MSIE 8 on Windows XP. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUZQUrAAoJEBzwKT+lPKRYgToP/1rYKGihmAJLn21CzkSxURWZ rT0FBibKeycm6i4AY6KIlOm3DyXnfd0N47yxKv0F/0OdX3Ms83trvMKjKT8Gh2jL Z83JXU19aKFinHgRhCJDWHGKBKx+cFTxo9KEpljGd0YQInB4/AkBItVCGvdQKwX+ tr1YD6RC9kXbzD0tjn9+SMuqzmJSSs7XR33gBl4eCB5lGDE7vz3++JU7xbDzYNCA ctqxuQstJq2fjeuvc3Bq6WhffP8/qQZHkTBGV64b55vnkXMPZL3Hb0kIYC1oFo/U ni664Mc9WKTzf4NHRdmAHkA9cbrSV0kUQdxEEzFIWJ/gj3FyHdIydgz0sMa2+HEd Rg2nQtmTsiLnHiIucqOrktZBgmBUtONCti5cSsRjfhwhh/7IjY9QLhFWIvbvLcz8 rFmwjW9c8qiT8D13E9PujSbuhxAL+gfgWdRlKePBqsZH6ftOWK4V1fA2cIAiW5rX rL+Dozac5AtxXYQ7RvD651FG9YS/9Nv5t9NCm4muIBufg1dlbOQc8/jcEHA7tsUU GaCb72qmVU9/XSP6IiWtLjC2PbCh4ouAfHgL7UyPPWlBv+UnZbvJzmNfX38NPrGG LAN99XUFiqsHAP7P8vr58UNLoi/at2t0WHLIm3eO/txpKgZQOvK/dQ9Bxb0NDT2T 56D8Affe/VSQf0RnE5/4 =bLG/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org