On 3/26/2015 2:10 PM, Egor Philippov wrote:
On Thu, Mar 26, 2015 at 10:42 AM, David kerber <dcker...@verizon.net> wrote:
On 3/26/2015 1:30 PM, Egor Philippov wrote:
Hi,
We're serving our web and API content using Tomcat 8.0.20 using an HTTPs
connector that looks something like:
*<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"*
* maxThreads="200" SSLEnabled="true" scheme="https"
clientAuth="false" sslProtocol="TLS"*
* compression="on" useSendfile="false"
compressableMimeType="text,application"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" *
* keystoreFile="C:\ProgramData\Absolute
Software\AmWebApiData\certificates\AmWebAdmin.jks"
keystorePass="password"*
* ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_
CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_
CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />*
Everything is working fine except Chrome ( v 41.0 ) is reporting our app
as
using 'obsolete cryptography' ( as seen in http://imgur.com/WoOLDRH ).
According to the Chromium docs (
https://www.chromium.org/Home/chromium-security/education/
tls#TOC-Deprecation-of-TLS-Features-Algorithms-in-Chrome
),
this is very likely because of SHA-1 being used for "message
authentication". I've noticed the same type of warning message reported
for
virtually any Apache hosted site ( ex. https://tomcat.apache.org/
index.html
, https://www.apache.org/ ). Anyone familiar with the warning or know
whether it represents a real security problem?
I'm no expert on this, but I think it's because you still have at least
one SSL cipher supported (the last one in the list).
What version of Java running behind it?
We're running Java 7. We originally didn't have the cipher list in the
connector, but I've added it yesterday when trying to figure out this
Chrome warning. The ciphers were added as per
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
Originally the connector was configured like:
*<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"*
* maxThreads="200" SSLEnabled="true" scheme="https"
clientAuth="false" sslProtocol="TLS"*
* compression="on" useSendfile="false"
compressableMimeType="text,application"*
* keystoreFile="C:\ProgramData\Absolute
Software\AmWebApiData\certificates\AmWebAdmin.jks" keystorePass="password"
/>*
with the same result.
Can you just remove the last one, "SSL_RSA_WITH_RC4_128_SHA"?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
