-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Arthur,
On 6/11/15 2:14 PM, Arthur Ramsey wrote: > Is anyone aware of a way to mitigate the Logjam attack with tomcat > 7 and java 7? Disable DHE_EXPORT on the server? > I use tcnative and openssl-1.0.2a both compiled from source in > production today, but I would be open to JSSE too. I believe I > need Java 8 to mitigate CVE-2015-4000 with JSSE. Why? > I don't see anyway to use a unique 2048-bit or greater DH group > with tcnative currently. I believe you are correct; there is a bug in BZ: https://bz.apache.org/bugzilla/show_bug.cgi?id=56108 It looks like 1.1.34 will have this feature. You can build the current trunk of the 1.1 branch and probably be okay. > I'm not sure if there is anything I can do at compile time. I'd > rather not change the cipher suites as I want to maintain browser > support. You should disable EXPORT certificates no matter what. Or were you talking about the DH parameters? > My server configuration passed the Qualys SSL Server Test with > flying colors until Logjam, so I would be worried about regressions > on other security fixes if I used JSSE. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVeeL0AAoJEBzwKT+lPKRYkJQQAIyplWF0F65zvlzuQTrsFYPC Ioh+w4ddwalB1OFzaxGjnulwN9eO91iudqFiZyFpZnh7jV8GOJCQVO5whbBIXvQm l4RUispklWXNh2ClFfkW2YoXwfZPBhk4um5oVo2KHN7wf3F9AhvA/oz3Ecm2WUdg lQ7q4+WapZknWS6YdxwMzG7Jl7k6gGgnhfe6SmtEYMDKE8ktTcyAjpHX+NhXXC+e iCiZ0+DH1lYmUIHdVJu2FIgdui0CVecArJ9ufniiIpbYOnjWFxu+IZGlBuTgoAHg 8Lu7koGDOOnagSdJ6DNJeEyniRVPA61zcKRIqB1IWJJzgZVIpo8/wF4r9jGFIH3b x+3cqqSiDLppHar48ENIGbqYRCwybRCiJu3SvKLJ/zRs51ybxKbSXOondPWqIRD/ rbLQN6Z/2nQUeSp7A7iKGQj1CqFSDp5IFBqwvP4A9xWFbqCbwOWUfKhgM8UrToLN DRbtjdpGZvA0lJqxmR9nKWn9K9nNRcViI2wlcDOB22RFjz2S+fUToylf8utUJbW0 MJ5GdqnPYMp3r0NajnWaY8z1POneaqnLHnW5xnhLA2UgDBoClUA2Xe/UmU+ngUT3 OOJDb52+Xr3V+JvsDuK6cgoHTM7X+2i3+75acigwMyPYO34hA1uanVhx7XTvheqA XkCixeOIXgynHCDcWYDc =Lycq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org