Thanks Christopher for detailed explanation with testing tools. -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Sunday, March 21, 2021 9:02 AM To: users@tomcat.apache.org Subject: Re: Embedded Tomcat 9.0.33
Abirami, On 3/20/21 11:36, S Abirami wrote: > We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32 > vulnerability, we have configured jdk.tls.disabled.algorithm to > remove the encryption cipher have 64bit block size. > > I need a clarification whether JDK configuration is enough for > embedded tomcat to avoid sweet32 attack or through IntrospectionUtils > Whether we need to configure the ciphers list. While disabling the bulk encryption at the JVM level is probably the /safest/ thing to do, I would change the cipher suite string that Tomcat uses for TLS handshaking with its TLE-enabled connectors. Why? Because having configuration elsewhere can be confusing and surprising, and confusion and surprise are not friends of security. If you can disable those cipher suites via a <Connector>, why bother to disable those algorithms at the JVM level? Well, if you have *outgoing* TLS connections and you aren't sure how to configure them properly[1], then this JVM setting will protect you all around. You shouldn't need IntrospectionUtils for anything. > Whether there is any API to find the default list of cpihers active in > Embedded tomcat similar to SSLSocket.getEnabledCipherSuite? It would be easier to run a TLS scanner against your server, like https://www.ssllabs.com/ssltest/ IF you can't reach your server from the internet (or don't want to use another tool to probe your server for whatever reason(, you can use this tool instead: https://protect2.fireeye.com/v1/url?k=b202f84c-ed99c17d-b202b8d7-86e2237f51fb-a4c999e453446754&q=1&e=e05b690a-668d-4b4d-b65d-1ff9c3a21e8d&u=https%3A%2F%2Fgithub.com%2FChristopherSchultz%2Fssltest Hope that helps, -chris [1] Pro tip: learn how to configure ALL your TLS connections properly, then do it. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
