-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 6/12/15 6:32 AM, Rainer Jung wrote: > With existing 1.1.33 you can choose your cipher suite, so that > non-DHE ciphers come first and set SSLHonorCipherOrder such that > the client chooses the first matching cipher and DHE will likely > not be used, only by client who do not support a cipher to the left > of DHE in your cipher list. A slight correction: the *server* chooses the cipher suite to be used, not the client. > Note that old Java versions as clients (6, maybe 7 depending on > patch level?) have a problem with DHE keys longer than 768 or 1024 > bits (depending on JVM details). So by mitigating Logjam you might > run into compatibility issues with those. +1 > It would be interesting to know, what details SSLLabs tell you, > e.g. if they say you are vulnerable to the export downgrade attack > (really bad), or "just" to your DH params should be longer. You can > use the OpenSSL commandline client in version 1.0.2 to check, what > param length a handshake results in: > > openssl s_client -connect www.example.com:443 -cipher "EDH" | \ > grep "Server Temp Key" > > See: https://www.openssl.org/blog/ +1 - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVetd7AAoJEBzwKT+lPKRYN7AQAIWyRymVO3NYefp/tdMU/9Kf 2uTnWgmL9j7iI9EeF8RwKNNBQBLWxJItEipsn44z6Cx16yh+ZbbI0ePKvSE3UBlQ 9lJfgRtHNfOLkUZQ0NWgl+cSAs8dfctN5Qpv9kSetO/IylRQE35uMN3UubNzieoo qpS3ub28bstMVD7ATmgG7/Cyhap2IVbVVQ4/EiuaxuZkrE1Yp+JujJFJ1kktbync rWC3EvYfQm2cThFXhwZQlewOqysvNkFh4wKLQf+SuVrVqBdrZ5CjrfkqfsrFqhRo pORL+q60Ik+7vu6Cymb1GCgFU6nnb/NCe5yZ07jzcYg1ebmFuOL/cginrfzeirsU CwZf/7XOblJToYLNGP/G33lmREPc4h/QOfnvcakjznkeKMRB6ijFEvcYTh5EOPfd IaNCnAqhv+zD7R4W00QfMZRricUfrzhHlwGSoLrU49ct+wwbZXfqW8N2mQRz11Bx LdsOVp2mitFvCFq0rf/88ZER+ub12NVYWiuJERtpV4mS2r3Hkck2wnj5pYIeLtti 9gl/8E8dNF5tuE/XnLreynHkEiUZov5KLszIihj5tgSbEmQkcr17RtkhnbTYFHq8 PsakYpaxactc8nBXvoi7Ev25VtOFUJzbG+jtQsJSscaE4dF4RnfruliBfTuLVzAh /XqCtf1Q2y/9LW6EbRb4 =si8C -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
