We're running Tomcat 8.5, currently configured with the following OpenSSL cipher strings in our SSLHostConfig:
ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!PSK" However, SSLLabs' server test reports that the following available ciphers are weak: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA Is there a cipher string that concisely includes these *_RSA_WITH_AES_*_CBC_SHA* ciphers that may be used to disallow them in the SSLHostConfig ciphers parameter? I didn't see one in the OpenSSL ciphers reference. SSLLabs reports only the following available ciphers as non-weak: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Our ciphers are provided via Oracle's JDK 8. -- UH Information Technology Services : Identity & Access Mgmt, Middleware minutas cantorum, minutas balorum, minutas carboratum desendus pantorum --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
