Abirami,
On 3/20/21 11:36, S Abirami wrote:
We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32
vulnerability, we have configured jdk.tls.disabled.algorithm to
remove the encryption cipher have 64bit block size.
I need a clarification whether JDK configuration is enough for
embedded tomcat to avoid sweet32 attack or through IntrospectionUtils
Whether we need to configure the ciphers list.
While disabling the bulk encryption at the JVM level is probably the
/safest/ thing to do, I would change the cipher suite string that Tomcat
uses for TLS handshaking with its TLE-enabled connectors.
Why? Because having configuration elsewhere can be confusing and
surprising, and confusion and surprise are not friends of security.
If you can disable those cipher suites via a <Connector>, why bother to
disable those algorithms at the JVM level? Well, if you have *outgoing*
TLS connections and you aren't sure how to configure them properly[1],
then this JVM setting will protect you all around.
You shouldn't need IntrospectionUtils for anything.
Whether there is any API to find the default list of cpihers active
in Embedded tomcat similar to SSLSocket.getEnabledCipherSuite?
It would be easier to run a TLS scanner against your server, like
https://www.ssllabs.com/ssltest/
IF you can't reach your server from the internet (or don't want to use
another tool to probe your server for whatever reason(, you can use this
tool instead:
https://github.com/ChristopherSchultz/ssltest
Hope that helps,
-chris
[1] Pro tip: learn how to configure ALL your TLS connections properly,
then do it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
