On 14/11/2020 00:41, Baron Fujimoto wrote: > We're running Tomcat 8.5, currently configured with the following > OpenSSL cipher strings in our SSLHostConfig: > > ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!PSK" > > However, SSLLabs' server test reports that the following available > ciphers are weak: > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > > Is there a cipher string that concisely includes these > *_RSA_WITH_AES_*_CBC_SHA* ciphers that may be used to disallow them in > the SSLHostConfig ciphers parameter? I didn't see one in the OpenSSL > ciphers reference.
Have you tried adding ":-AES:+AESGCM" to the cipher string you are already using? Mark > > SSLLabs reports only the following available ciphers as non-weak: > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > Our ciphers are provided via Oracle's JDK 8. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
