Christopher, yes, thats it! Merci bien :-) I was reading http://www.openssl.org/docs/apps/ciphers.html "for reference", thats where I got scared that I had to check all of them for 128bit. Didn't know that SSLCipher= is actually understood by openssl.
Its Friday finally :) Jens Health Services Network Administration Phone: +49 (0) 30 68905-2412 Mail: jens....@biotronik.de Christopher Schultz <ch...@christopherschultz.net> 01/22/2010 06:36 PM Please respond to "Tomcat Users List" <users@tomcat.apache.org> To Tomcat Users List <users@tomcat.apache.org> cc Subject Re: TLS+SSLv3 but no SSLv2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens, On 1/22/2010 12:30 PM, Jens Neu wrote: > Christopher, > > my "Problem" is that I have a requirement that SSLv2 shall be forbidden, > but not SSLv3 and TLS. On top, also forbidden are ciphers <=128bit. I was > hoping to tackle this with > > SSLProtocol="TLSv1+SSLv3" > SSLCipher="-ALL:+HIGH:+MEDIUM" > > without manually selecting all ciphers. Since I'm on apr/openssl, I assume > that my available ciphers are what gives me "openssl ciphers"? > So this leaves me with no other option than crawling through all the > ciphers? Certainly looking forward to it ;-) How about SSLCipher="-ALL:+HIGH:+MEDIUM:!SSLv2"? The APR documentation points you to the openssl documentation for reference. The above SSLCipher yields: $ openssl ciphers '-ALL:HIGH:MEDIUM:!SSLv2'| sed -e 's/:/\n/g' ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA ADH-AES128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA ADH-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-RC4-MD5 RC4-SHA RC4-MD5 Are those acceptable? You don't have to list all the ciphers if you don't want to. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZ4coACgkQ9CaO5/Lv0PC3xwCcDtuaednrMBZRcZmUOneFoE/M Wy8AoIQ3w/Zctnw8tTU2kHdW4Y7xynkM =mFDc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org www.biotronik.com BIOTRONIK SE & Co. KG Woermannkehre 1, 12359 Berlin, Germany Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRA 6501 Vertreten durch ihre Komplementärin: BIOTRONIK MT SE Sitz der Gesellschaft: Berlin, Registergericht: Berlin HRB 118866 B Vorsitzender des Verwaltungsrats: Dr. Max Schaldach Geschäftsführende Direktoren: Christoph Böhmer, Dr. Werner Braun, Dr. Lothar Krings BIOTRONIK - A global manufacturer of advanced Cardiac Rhythm Management systems and Vascular Intervention devices. Quality, innovation, and reliability define BIOTRONIK and our growing success. We are innovators of technologies like the first wireless remote monitoring system - Home Monitoring®, Closed Loop Stimulation and coveted lead solutions as well as state-of-the-art stents, balloons and guide wires for coronary and peripheral indications. We highly invest in the development of drug eluting devices and are leading the industry with our bioabsorbable metal stent program. This e-mail and the information it contains including attachments are confidential and meant only for use by the intended recipient(s); disclosure or copying is strictly prohibited. If you are not addressed, but in the possession of this e-mail, please notify the sender immediately and delete the document.
