-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Greg,
On 7/1/16 3:03 AM, Greg Beresnev wrote: > Thanks Daniel - any idea which cipher in particular needs to be > absent in order for the SHA-1-based connection/authentication was > rejected/failed? I'm afraid Daniel may have confused the issue, because the certificate-signing algorithm is completely independent of any cipher suites that you may use for the encrypted TLS connection. FWIW, at $work, we typically filter-out anything that looks like this: NULL|_anon_|_DHE_|EXPORT|RC4|MD5|SHA$ But there's no way I know of to reject the local server certificate if it doesn't meet some kind of criteria. I checked, and Nagios's check_http utility does NOT have a check for anything about a certificate other than it's expiration date. This seems like a good thing to add to that tool (along with complaining about support for certain protocols like SSLv3). There are other tools you could use, such as Mark's suggestion of using Qualys's ssltest site. - -chris > On Fri, Jul 1, 2016 at 4:53 PM, Daniel Savard > <daniel.sav...@gmail.com> wrote: > >> 2016-06-30 23:05 GMT-04:00 Greg Beresnev >> <russiande...@gmail.com>: >> >>> Hi, >>> >>> We're in the process of updating our web application to stop >>> using SHA-1 certificates and I was wondering if there was some >>> way to configure >> Tomcat >>> (we're on version 7.0.39 - yes, I know, we are pretty >>> old-school and >> should >>> get with the times) to either throw errors or at least log >>> warnings for >> the >>> cases where connection/authentication attempt is being made >>> using SHA-1 certificate? >>> >> >> No. >> >> However, you can select the accepted ciphers to reject anything >> that doesn't meet your standards. >> >> ----------------- Daniel Savard >> > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXdtDnAAoJEBzwKT+lPKRY/f0QAKK7mUZJxvCqfDm98BlbbbUj DR5a/CRPvg7O41+tXSEMqnUiDaJIkLpOGeE/wjwECc7Iv8v8TDdcj8yzIlueqHJu mwIlX370v4FiOH6vut7qgN51kieMTaRHhS3CL5Q37ogJCaRC8V8T9WFJvsJU49gC M7NiHe4ZV47nlZ3dvUFZ8VunX1BU5DcxQRI0nF6k9R4dvrrUX5AR5A0WN4tv1qAp Cg/WpuLizcet4GSZmQpk1mVe3J7fCXRQsYMUiJdj2p2mhviI1pZjwe+F4WyOq9gL EDI2Gel7Mq26aWKiZFrW+JNsAfDFYgJmFFIWj7LY/L1P9vJMy6xK02iE4t3pTg+2 frl4UCXOaInvXdM+ZfZuJLwYeUtyoYWnxIVcbaEtr2VlBVXBBzezpZfjMnVcUPtO Vyu2VAPKWipoNk0deSX7eHwMX5AiKMfvLvrkYGQnumVxDTf2z6ttxleJJUnNOONW Q+dD65hamBzSMq8pvcz1cH8mRpuxYxZIguaFYwEN6uJdIoafztc0cXf8kbrDaNBe Jo3sEKbUuWZJoMA2ZaU0hx1evT648g5VWzyJfwox6RUKesw2JqWSBC/Mn2X0CHit g71pkQ4iij5WrrbsPgL5aT9zUjLqdn6UGoRu69CsWFSRcHYOUygikajP21ZsNrBy N3OmO7YGgli4zOq8bkxK =qqDk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
