[Tomcat9][Linux]listening all local addresses by default is not security best practice

Hi there, The default behaviour of http connector is listenning all interfaces. It is found in the description of "address" in attributes section. (https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support) In terms of security default, it could be not best practice. In case of

Re: How to set Ciphers in Server.xml Tomcat 10.1.zz

On 11/23/22 14:12, Edwin Mwangi wrote: I need help with the correct parameter for setting Ciphers in Apache Tomcat 10.1.2, in the previous version 9 i would use the parameter below ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" However when I set the same in Apache Tomcat

How to set Ciphers in Server.xml Tomcat 10.1.zz

Hi Guys, I need help with the correct parameter for setting Ciphers in Apache Tomcat 10.1.2, in the previous version 9 i would use the parameter below ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" However when I set the same in Apache Tomcat 10.1.2 I get the following

Re: How to set Ciphers in Server.xml Tomcat 10.1.zz

Yes, I had to install Java 11 On Thu, 24 Nov 2022, 00:42 Shawn Heisey, wrote: > On 11/23/22 14:12, Edwin Mwangi wrote: > > I need help with the correct parameter for setting Ciphers in Apache > Tomcat > > 10.1.2, in the previous version 9 i would use the parameter below > > > >

listening all local addresses by default is not security best practice

Hi there, Product: Ant Apache httpd-2 Apache httpd-test APR POI Rivet Taglibs Tomcat 10 Tomcat 8 Tomcat 9 Tomcat Connectors Tomcat Modules Tomcat Native WebSH

Re: [Tomcat9][Linux]listening all local addresses by default is not security best practice

On 11/23/22 12:43, Robert Turner wrote: My 2 cents: I think that it would be a very strange change to make to a generic product and a "sample" configuration file. If Tomcat was packaged in a distribution, that might be a more reasonable suggestion. I don't think Tomcat is insecure because of

Re: How to set Ciphers in Server.xml Tomcat 10.1.zz

On 11/23/22 14:46, Chuck Caldarale wrote: On Nov 23, 2022, at 22:41, Shawn Heisey wrote: I am betting that Java is just refusing to use those ciphers because they are known to be weak. Hopefully an expert can tell me if I am giving incorrect information here. The reported error was the

Re: How to set Ciphers in Server.xml Tomcat 10.1.zz

> On Nov 23, 2022, at 22:12, Edwin Mwangi wrote: > > I need help with the correct parameter for setting Ciphers in Apache Tomcat > 10.1.2, in the previous version 9 i would use the parameter below > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > > However when I set

Re: [Tomcat9][Linux]listening all local addresses by default is not security best practice

My 2 cents: I think that it would be a very strange change to make to a generic product and a "sample" configuration file. If Tomcat was packaged in a distribution, that might be a more reasonable suggestion. I don't think Tomcat is insecure because of this; binding to addresses/ports is a key

Re: How to set Ciphers in Server.xml Tomcat 10.1.zz

> On Nov 23, 2022, at 22:41, Shawn Heisey wrote: > > I am betting that Java is just refusing to use those ciphers because they are > known to be weak. Hopefully an expert can tell me if I am giving incorrect > information here. The reported error was the failure to set the non-existent