-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Arthur,
On 6/11/15 4:34 PM, Arthur Ramsey wrote: > On 06/11/2015 02:35 PM, Christopher Schultz wrote: Arthur, > > On 6/11/15 2:14 PM, Arthur Ramsey wrote: >>>> Is anyone aware of a way to mitigate the Logjam attack with >>>> tomcat 7 and java 7? > Disable DHE_EXPORT on the server? >> I believe I have, but Qualys SSL Server Test still fails me on >> the Logjam check. > >> SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SH A256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A ES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128- SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128 - -SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE- DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES25 6-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK You >> also have DHE-* ciphers in there, which is probably the problem. Remove those and I think Qualys will be happier. Really, who is using DHE in the first place? >>>> I use tcnative and openssl-1.0.2a both compiled from source >>>> in production today, but I would be open to JSSE too. I >>>> believe I need Java 8 to mitigate CVE-2015-4000 with JSSE. > Why? >> See >> http://stackoverflow.com/questions/30352105/how-to-set-custom-dh-grou p-in-java-sslengine-to-prevent-logjam-attack Understood. >> I thought you just wanted to remove the EXPORT and DHE ciphers in general. Increasing the number of bits in the DH parameters will in fact require an upgrade. >>>> I don't see anyway to use a unique 2048-bit or greater DH >>>> group with tcnative currently. > I believe you are correct; there is a bug in BZ: > https://bz.apache.org/bugzilla/show_bug.cgi?id=56108 > > It looks like 1.1.34 will have this feature. You can build the > current trunk of the 1.1 branch and probably be okay. >> Thanks, I'll give it a try. Scary to use in production, but it >> may be my best answer. > >>>> I'm not sure if there is anything I can do at compile time. >>>> I'd rather not change the cipher suites as I want to maintain >>>> browser support. > You should disable EXPORT certificates no matter what. Or were you > talking about the DH parameters? >> I was talking about DH parameters. > >>>> My server configuration passed the Qualys SSL Server Test >>>> with flying colors until Logjam, so I would be worried about >>>> regressions on other security fixes if I used JSSE. > -chris - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVej2CAAoJEBzwKT+lPKRYyPIQAIJvUDQE7KP7Zmlx5JkQhmJP GYPT7TdElrY1cUgThCkswN2zKSK8q000BSjggO+s64iChEUn+FeQW9BRBRXXdhXX 0p13g9F+SwbMskrJxVYVK9dAjeamlND2OyIo6WS5u6LHc+a2z5fT1p6Qvu5n4HbD 4iy+rBwHZuW9RBQgg8R3w7iT1ioGzRIu6gexXZzc23l1JUi9lnr1CiJETrISK3Dh 4159fpVR3yZHPiukckyfRGR3KghhgFyJO7WXO5xBIOvyR/Pmg0ltBlDyi7U1cJQx ZxX3Rq/kLUy5SFDVTYDf8cJ8pNXbG8hUfnGGWUtxar05Xb7zIHESjajUZuwIGFkg D7z7IaWPSE4w6Y1Mwb2oBcVgQCALhUXwqULsoo09YRuspYB5cKSGi6FuN2GiGObO MDeB+r/qZJJM9sPsu3pvehHlsuktE5nux30XUAxmm9xUZryVfFPnj9XSCE43rT33 0m7VqVCGzRTQGqjEMdiOg0HX94SPJR8vAWyfnyrsQL4iIlytWJpOQAhFy+p/4llp P+1zIn0XTDwGGLpOZVsfJIWnuhQQCROK5rDdgXz0fAWx7ET8tLbepGdwVvDMUc4i Pasbly7JtCbdg1Vr1aX1UPWp3W0irfAMZx3zfz0qrvoK0voWfBenOzuHThwcJMqk hIIKb20oTJkEvGsmtzXX =eetm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
