Done with OFBIZ-10223
Jacques
Le 15/02/2018 à 15:32, Jacques Le Roux a écrit :
Thanks Paul,
It did not occur to me that the ! in MD5 was to prevent the use of MD5 :)
I must say that the syntax is not explained in Tomcat doc (or at least I could
not find it, even Googling everywhere)
Anyway I tried
https://www.ssllabs.com/ssltest/analyze.html?d=demo-trunk.ofbiz.apache.org
And I can confirm that MD5 and the other weak ciphers are not used and we are
safe (good results and a 90% for ciphers)
About using Tomcat default, yes I plenty agree and that's what I wanted to do
initially but did not because did not understand the ! meaning
I'd do that in trunk and backport
Cheers
Jacques
Le 14/02/2018 à 07:00, Paul Foxworthy a écrit :
Hi Jacques,
Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to *not*
allow MD5 even if a client requests it? So I think we're OK already.
Is it possible for us to leave out the ciphers property from OFBiz
altogether, so Tomcat's default rules would come into play, and as they
evolve over time OFBiz would naturally track them, without us having to
maintain our own copy?
Cheers
Paul Foxworthy
On 14 February 2018 at 00:03, Jacques Le Roux <[email protected]>
wrote:
Hi,
Following a recent "distribution policy : make .md5 optional" thread at
[email protected] and looking at https://en.wikipedia.org/wiki/MD5
"Although MD5 was initially designed to be used as a cryptographic hash
function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it
has been found to suffer from extensive vulnerabilities. It can still be
used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify
data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only
against unintentional corruption."
I was wondering so I checked and we no longer use MD5 anywhere but for
last usable ciphers in Catalina ofbiz-component.xml
I copied that recently from [1] and read now at [2] that MD5 is still
used, though still almost at the end of the possible default ciphers.
I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to
used only nowadays reliable ciphers
Maybe we could ask Tomcat user ML for advice, but reading
https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff
and we will get the same answer from the ML.
What are your opinions? Should we follow [3] suggestion or let it as is
OOTB and just warn users about that in a comment? Note that [4] is really
complete and interesting, MD5 as a cypher is not recommended there.
[1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
[2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html
[3] https://s.apache.org/h2vH
[4] https://wiki.mozilla.org/Security/Server_Side_TLS
Jacques
