On 4/15/2015 12:05 PM, Jason Jesso wrote:
I have Tomcat 6.0.41 connector set-up with:SSLProtocol="TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" We are failing our PCI scan for "RSA_EXPORT Cipher Suites (FREAK)". I also test my server using openssl like: openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null 2>/dev/null SSL-Session: Protocol : TLSv1 Cipher : EXP-EDH-RSA-DES-CBC-SHA Session-ID: 552E8BA663CD1406A0483AC1C5EA4625FEAA4728B4CEC0DF9FDB7B1205F34A56 Session-ID-ctx: Master-Key: 28300592CF17AEB81E3113DBD26A74406729DECDF4274E5181FDFB82896C8039E5B5205965423F162D44A0814892779A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1429113767 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) It still connects with the EXPORT cipher. I do not know why, since I thought the ciphers I specify in the "ciphers" variable is good. This is my Tomcat start-up: bin/startup.sh Using CATALINA_BASE: /usr/apache-tomcat-6.0.41 Using CATALINA_HOME: /usr/apache-tomcat-6.0.41 Using CATALINA_TMPDIR: /usr/apache-tomcat-6.0.41/temp Using JRE_HOME: /usr/java6 Using CLASSPATH: /usr/apache-tomcat-6.0.41/bin/bootstrap.jar
What exact version of java? I think that's your issue. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
