Hi, I'm using tcnativ with: SSLCipherSuite="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP"
To generate a List of ciphers for your usecase simply do: openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP' Best, rob Robert Paasche Senior Developer pripares GmbH Altheimer Eck 2 80331 München Tel +49 (0)89 45 22 808 - 30 Fax +49 (0)89 45 22 808 - 58 Mail r.paas...@pripares.com Web www.pripares.com Handelsregister: Registergericht München HRB 138701 Sitz der Gesellschaft: München Geschäftsführer: Aßmann Christoph, Ertl Andreas Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und löschen Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail und der darin enthaltenen Informationen sind nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. 2015-06-02 16:08 GMT+02:00 Milton Harper <milton.har...@gmail.com>: > I ran a ssl scan utility on my Tomcat server and see it allows alot of > SSLv3 and RC4 Ciphers along with a number of others. I'm told the SSLv3 and > RC4 are not allowed and that I should only be using TLS ciphers. > > Adding registry keys has no effect. Modifying the server.xml file does. > I figured out how to remove the SSLv3 entries. By adding the following to > the SSL area of my server.xml file, all the SSLv3 entries do not show on > the next scan.Part of the problem with this is alot of other information > about accepted SSL Certificates disappears as well. > > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" > > For removing the RC4 entries, I reads posts mentioning adding in a > ciphers line so I added the following. It removed the RC4 entries but also > alot of other ciphers I didn't want removed. > > ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA" > > What is the correct updated informaiton for the ciphers line and maybe > the sslEnabledProtocols as well? Thank you. >
