-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greg,

On 7/1/16 3:03 AM, Greg Beresnev wrote:
> Thanks Daniel - any idea which cipher in particular needs to be
> absent in order for the SHA-1-based connection/authentication was
> rejected/failed?

I'm afraid Daniel may have confused the issue, because the
certificate-signing algorithm is completely independent of any cipher
suites that you may use for the encrypted TLS connection.

FWIW, at $work, we typically filter-out anything that looks like this:

NULL|_anon_|_DHE_|EXPORT|RC4|MD5|SHA$

But there's no way I know of to reject the local server certificate if
it doesn't meet some kind of criteria.

I checked, and Nagios's check_http utility does NOT have a check for
anything about a certificate other than it's expiration date. This
seems like a good thing to add to that tool (along with complaining
about support for certain protocols like SSLv3).

There are other tools you could use, such as Mark's suggestion of
using Qualys's ssltest site.

- -chris

> On Fri, Jul 1, 2016 at 4:53 PM, Daniel Savard
> <daniel.sav...@gmail.com> wrote:
> 
>> 2016-06-30 23:05 GMT-04:00 Greg Beresnev
>> <russiande...@gmail.com>:
>> 
>>> Hi,
>>> 
>>> We're in the process of updating our web application to stop
>>> using SHA-1 certificates and I was wondering if there was some
>>> way to configure
>> Tomcat
>>> (we're on version 7.0.39 - yes, I know, we are pretty
>>> old-school and
>> should
>>> get with the times) to either throw errors or at least log
>>> warnings for
>> the
>>> cases where connection/authentication attempt is being made
>>> using SHA-1 certificate?
>>> 
>> 
>> No.
>> 
>> However, you can select the accepted ciphers to reject anything
>> that doesn't meet your standards.
>> 
>> ----------------- Daniel Savard
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXdtDnAAoJEBzwKT+lPKRY/f0QAKK7mUZJxvCqfDm98BlbbbUj
DR5a/CRPvg7O41+tXSEMqnUiDaJIkLpOGeE/wjwECc7Iv8v8TDdcj8yzIlueqHJu
mwIlX370v4FiOH6vut7qgN51kieMTaRHhS3CL5Q37ogJCaRC8V8T9WFJvsJU49gC
M7NiHe4ZV47nlZ3dvUFZ8VunX1BU5DcxQRI0nF6k9R4dvrrUX5AR5A0WN4tv1qAp
Cg/WpuLizcet4GSZmQpk1mVe3J7fCXRQsYMUiJdj2p2mhviI1pZjwe+F4WyOq9gL
EDI2Gel7Mq26aWKiZFrW+JNsAfDFYgJmFFIWj7LY/L1P9vJMy6xK02iE4t3pTg+2
frl4UCXOaInvXdM+ZfZuJLwYeUtyoYWnxIVcbaEtr2VlBVXBBzezpZfjMnVcUPtO
Vyu2VAPKWipoNk0deSX7eHwMX5AiKMfvLvrkYGQnumVxDTf2z6ttxleJJUnNOONW
Q+dD65hamBzSMq8pvcz1cH8mRpuxYxZIguaFYwEN6uJdIoafztc0cXf8kbrDaNBe
Jo3sEKbUuWZJoMA2ZaU0hx1evT648g5VWzyJfwox6RUKesw2JqWSBC/Mn2X0CHit
g71pkQ4iij5WrrbsPgL5aT9zUjLqdn6UGoRu69CsWFSRcHYOUygikajP21ZsNrBy
N3OmO7YGgli4zOq8bkxK
=qqDk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to