Thanks Jacques. I bet it is the OpenSSL syntax which is documented here: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html .
Cheers Paul Foxworthy On 16 February 2018 at 01:43, Jacques Le Roux <[email protected]> wrote: > Done with OFBIZ-10223 > > Jacques > > > > Le 15/02/2018 à 15:32, Jacques Le Roux a écrit : > >> Thanks Paul, >> >> It did not occur to me that the ! in MD5 was to prevent the use of MD5 :) >> >> I must say that the syntax is not explained in Tomcat doc (or at least I >> could not find it, even Googling everywhere) >> >> Anyway I tried https://www.ssllabs.com/ssltest/analyze.html?d=demo-trunk. >> ofbiz.apache.org >> >> And I can confirm that MD5 and the other weak ciphers are not used and we >> are safe (good results and a 90% for ciphers) >> >> About using Tomcat default, yes I plenty agree and that's what I wanted >> to do initially but did not because did not understand the ! meaning >> >> I'd do that in trunk and backport >> >> Cheers >> >> Jacques >> >> >> Le 14/02/2018 à 07:00, Paul Foxworthy a écrit : >> >>> Hi Jacques, >>> >>> Doesn't the !MD5 mean Tomcat and OFBiz's default configuration is to >>> *not* >>> allow MD5 even if a client requests it? So I think we're OK already. >>> >>> Is it possible for us to leave out the ciphers property from OFBiz >>> altogether, so Tomcat's default rules would come into play, and as they >>> evolve over time OFBiz would naturally track them, without us having to >>> maintain our own copy? >>> >>> Cheers >>> >>> Paul Foxworthy >>> >>> >>> On 14 February 2018 at 00:03, Jacques Le Roux < >>> [email protected]> >>> wrote: >>> >>> Hi, >>>> >>>> Following a recent "distribution policy : make .md5 optional" thread at >>>> [email protected] and looking at https://en.wikipedia.org/wiki/MD5 >>>> >>>> "Although MD5 was initially designed to be used as a cryptographic hash >>>> function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, >>>> it >>>> has been found to suffer from extensive vulnerabilities. It can still be >>>> used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify >>>> data integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only >>>> against unintentional corruption." >>>> >>>> I was wondering so I checked and we no longer use MD5 anywhere but for >>>> last usable ciphers in Catalina ofbiz-component.xml >>>> >>>> I copied that recently from [1] and read now at [2] that MD5 is still >>>> used, though still almost at the end of the possible default ciphers. >>>> >>>> I also read at [3] "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how >>>> to >>>> used only nowadays reliable ciphers >>>> >>>> Maybe we could ask Tomcat user ML for advice, but reading >>>> https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a >>>> tradeoff >>>> and we will get the same answer from the ML. >>>> >>>> What are your opinions? Should we follow [3] suggestion or let it as is >>>> OOTB and just warn users about that in a comment? Note that [4] is >>>> really >>>> complete and interesting, MD5 as a cypher is not recommended there. >>>> >>>> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html >>>> >>>> [2] http://tomcat.apache.org/tomcat-8.5-doc/config/http.html >>>> >>>> [3] https://s.apache.org/h2vH >>>> >>>> [4] https://wiki.mozilla.org/Security/Server_Side_TLS >>>> >>>> Jacques >>>> >>>> >>> >>> >> >> > -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Australia Phone: +61 3 9585 6788 Web: http://www.coherentsoftware.com.au/ Email: [email protected]
