Christopher,
my "Problem" is that I have a requirement that SSLv2 shall be forbidden,
but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was
hoping to tackle this with
SSLProtocol="TLSv1+SSLv3"
SSLCipher="-ALL:+HIGH:+MEDIUM"
without manually selecting all ciphers. Since I'm on apr/openssl, I assume
that my available ciphers are what gives me "openssl ciphers"?
So this leaves me with no other option than crawling through all the
ciphers? Certainly looking forward to it ;-)
regards
Jens Neu
Health Services Network Administration
Phone: +49 (0) 30 68905-2412
Mail: jens....@biotronik.de
Christopher Schultz <ch...@christopherschultz.net>
01/22/2010 06:05 PM
Please respond to
"Tomcat Users List" <users@tomcat.apache.org>
To
Tomcat Users List <users@tomcat.apache.org>
cc
Subject
Re: TLS+SSLv3 but no SSLv2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jens,
On 1/22/2010 11:10 AM, Jens Neu wrote:
> on http://tomcat.apache.org/tomcat-6.0-doc/apr.html I read for the
> SSLProtocol:
>
> "Protocol which may be used for communicating with clients. The default
is
> "all", with other acceptable values being "SSLv2", "SSLv3", "TLSv1", and
> "SSLv2+SSLv3"."
>
> Does this really mean that I can not allow a "TLSv1+SSLv3" setting while
> forbidding SSLv2? It seems so to me, since setting SSLProtocol to this
> obvioulsy defaults to "ALL" :-(
I agree with Chuck: TLSv1 ~= SSLv3.
Although the "protocol" attribute has a limited set of values you can
choose, you can always set the ciphers you will allow using the
"ciphers" attribute. This will allow you to pick and choose the ciphers
regardless of the overall "protocol" that you choose.
The ciphers available depend upon your environment, but these are the
ones I can see in mine:
java version "1.6.0_12"
Java(TM) SE Runtime Environment (build 1.6.0_12-b04)
Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)
Default Cipher
* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_DSS_WITH_DES_CBC_SHA
* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_EXPORT_WITH_RC4_40_MD5
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* SSL_RSA_WITH_RC4_128_MD5
* SSL_RSA_WITH_RC4_128_SHA
* TLS_DHE_DSS_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktZ2ncACgkQ9CaO5/Lv0PCMJACfTyFfj8zJS7tkGRewU0h2gkct
fxkAn320dKYKKYrJ/jPyXOtMXy0I9fGE
=NL0x
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
www.biotronik.com
BIOTRONIK SE & Co. KG
Woermannkehre 1, 12359 Berlin, Germany
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501
Vertreten durch ihre Komplementärin:
BIOTRONIK MT SE
Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B
Vorsitzender des Verwaltungsrats: Dr. Max Schaldach
Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr.
Lothar Krings
BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management
systems and Vascular Intervention devices. Quality, innovation, and
reliability define BIOTRONIK and our growing success. We are innovators of
technologies like the first wireless remote monitoring system - Home
Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as
state-of-the-art stents, balloons and guide wires for coronary and
peripheral indications. We highly invest in the development of drug
eluting devices and are leading the industry with our bioabsorbable metal
stent program.
This e-mail and the information it contains including attachments are
confidential and meant only for use by the intended recipient(s);
disclosure or copying is strictly prohibited. If you are not addressed,
but in the possession of this e-mail, please notify the sender immediately
and delete the document.
