-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rahul,
On 10/1/15 6:22 AM, Rahul Singh wrote: > Ok Thanks for your quick response. Could you please tell me the > size of cipher key mentioned below is it stronger than 1024? > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" Each one of the above is a separate cipher suite. You can Google for each one of them to find out what they are, how many bits of encryption the provide, etc. Java itself is the source of the EDH/DHE ephemeral key. The way that crypto works is that RSA is used for authentication (to verify that the server's certificate is in fact signed by an appropriate CA, etc.) but then an "ephemeral" (temporary) key is generated as part of the handshake, and that key is not tied to the RSA key that is used for the certificate. This is what provides "perfect forward secrecy" because breaking the server's private (RSA) key does not automatically unlock all recorded conversations that used that particular key for the handshake. https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange Certain versions of Java use weak keys using 1024-bit DH. Basically, you need to upgrade to Java 8 in order for your encryption to use an appropriate strength. https://dzone.com/articles/wso2-products-resolving-err-ssl-weak-ephemera l-dh Use Java 8 and specify -Djdk.tls.ephemeralDHKeySize=2048 to get the strongest EDH keys Java currently supports. Now, having said that... you are only using ECDHE (Elliptic-curve EDH) ciphers in your specified suites. These offer better protection-per-key-bit than the non-EC EDH cipher suites. I actually don't know why Chrome is complaining about the above configuration: there are no non-EC EDH suites configured. As a personal critique, I would say that your above cipher suites have the following problems: 1. You have two cipher suites using the RC4 cipher. Remove these unless you absolutely need to support old broken clients like MSIE6 on Windows XP. ECDHE + RC4 is entirely unnecessary, since there are no clients who support ECDHE but nothing better than RC4. Remove that at once. 2. Prioritize the suites with higher key bit counts and larger hashes (move them towards the front), unless performance is a significant concern for you. 3. Consider adding cipher suites based upon 3DES for some variety. - -chris >> Subject: Re: logjam attacks in tomcat 7 To: >> users@tomcat.apache.org From: ma...@apache.org Date: Thu, 1 Oct >> 2015 08:59:31 +0200 >> >> On 01/10/2015 07:08, Rahul Singh wrote: >>> Yes i know this fix, i just want to know, waht is deafult >>> cipher deatil, in my existing server.xml no cipher parameter >>> value is mentioned.So please help me to understand the same. >> >> To quote the documentation: >> >> <quote> By default, the default ciphers for the JVM will be used. >> Note that this usually means that the weak export grade ciphers >> will be included in the list of available ciphers. </quote> >> >> If you want to know what that means for the JVM you are using >> then I strongly recommend this site: >> >> https://www.ssllabs.com/ssltest/ >> >> Mark >> >> >>> >>> >>> >>> >>>> Date: Thu, 1 Oct 2015 10:26:43 +0530 Subject: Re: logjam >>>> attacks in tomcat 7 From: srikanth.hu...@gmail.com To: >>>> users@tomcat.apache.org >>>> >>>> Configuration like mentioned below should be able to resolve >>>> your issue: >>>> >>>> <Connector port="{{ https_port }}" >>>> protocol="org.apache.coyote.http11.Http11Protocol" >>>> SSLEnabled="true" maxThreads="150" scheme="https" >>>> secure="true" keystoreType="JKS" >>>> keystoreFile="{{path_to_keystore}}" keystorePass="{{ >>>> keystore_password }}" clientAuth="false" >>>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" >>>> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_A ES_128_CBC_SHA, >>>> >>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ,TLS_ECDHE_RSA_WITH_RC4_128_SHA, >>>> TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RS A_WITH_AES_256_CBC_SHA256, >>>> >>>> TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" /> >>>> >>>> Srikanth Hugar www.gharki.com >>>> >>>> >>>> >>>> On Thu, Oct 1, 2015 at 10:22 AM, Rahul Singh >>>> <rksing...@hotmail.com> wrote: >>>> >>>>> Dear Tomcat Support Team,Thanks for your continuous >>>>> support. In our Application Tomcat V 7.0.54 is used. We are >>>>> facing the problem of "Server has a weak, ephemeral >>>>> Diffie-Hellman public key >>>>> ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY" In chrome browser. >>>>> Tomcat server .xml have following configuration, which does >>>>> not contain chipher, it means it used default cipher. >>>>> ================================================================<C onnector >>>>> >>>>> port="8585" minSpareThreads="5" enableLookups="true" >>>>> redirectPort="8282" acceptCount="32" >>>>> connectionTimeout="60000"/> <Connector port="8282" >>>>> minSpareThreads="5" SSLEnabled="true" >>>>> enableLookups="true" acceptCount="32" scheme="https" >>>>> secure="true" clientAuth="false" >>>>> sslEnabledProtocols="TLSv1.2" >>>>> algorithm="SunX509"/>============================================= =================== >>>>> >>>>> Underline JAVA is : OpenJDK Runtime Environment (rhel-2.5.5.3.el6-x86_64 >>>>> u79-b14) So could ypu please assist me to understand the >>>>> following things. 1- What value of default cipher is using >>>>> in My application.2- Does it require to update for working >>>>> with lates Browser chrome and fixing the "Diffie-Hellman" >>>>> security issue. Regards,Rahul kumar Singh >>> >>> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWDUR2AAoJEBzwKT+lPKRYrSAQAIuucIToOBYmzeRMh9RrdLD4 cKB7mGsLPsHpRXn2uXKx1ZAkxfl1gOeuwrUKJLYN4TbIiQ90rsOJo5yeyV68ukhQ jMEMzBFaVcqh25ofH7VRMmj2EY6xrrjDkYjeOBF/crLDklrsdrFOjT7WdR0eW+BW XJf/+Ytu9Oq/6RLZAjFfHPaV2+lCvsuLa2BsvbjdEl9Yahgu/oDlXWdYLDZFZs62 Q8guChEt5ZinPSkN2xTS7oM5KklT6lc76pkUnLsRn/FAlp7Nkf36ydAep/qcQVmN SEZFyFEEUIaeBk9+KmTaKPYGVw5dFtSWf28yqUG+zb15A2mRqQzNeUzps7+gp3Dt Anjbz52BfnIWO2aDdPHp0ctV8m0o9bZhUN53ehjvb6iNDOXIK3dG0pcvSddpSROH 1Ufnwhi+QqZUpoCc1ASoTy6iyMzeNGD+IQbvZ6W4B2YsAXItIX0ibdSyumSftfH0 mjCS7qPm7v4SZAb/JzqtvPNY39N9dx022CLJvgBBY/g2lKnBj4mDG8n4U66AIa+c vflAVhOXHc31XO2Ba2Ep59hc+2tW0XZuoYeISJNhndr1p6mwjiiPmArn2t70qD3u tLk5DNnUPn9mAReZTHsMtPXmacrmYR2V8EpLc/KBfiHbYNcMEcF14uqLUmgjrOEA 8EzMoU//XVokaqky3Vkx =3Uu7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
