RE: Embedded Tomcat 9.0.33
Thanks Christopher for detailed explanation with testing tools. -Original Message- From: Christopher Schultz Sent: Sunday, March 21, 2021 9:02 AM To: users@tomcat.apache.org Subject: Re: Embedded Tomcat 9.0.33 Abirami, On 3/20/21 11:36, S Abirami wrote: > We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32 > vulnerability, we have configured jdk.tls.disabled.algorithm to > remove the encryption cipher have 64bit block size. > > I need a clarification whether JDK configuration is enough for > embedded tomcat to avoid sweet32 attack or through IntrospectionUtils > Whether we need to configure the ciphers list. While disabling the bulk encryption at the JVM level is probably the /safest/ thing to do, I would change the cipher suite string that Tomcat uses for TLS handshaking with its TLE-enabled connectors. Why? Because having configuration elsewhere can be confusing and surprising, and confusion and surprise are not friends of security. If you can disable those cipher suites via a , why bother to disable those algorithms at the JVM level? Well, if you have *outgoing* TLS connections and you aren't sure how to configure them properly[1], then this JVM setting will protect you all around. You shouldn't need IntrospectionUtils for anything. > Whether there is any API to find the default list of cpihers active in > Embedded tomcat similar to SSLSocket.getEnabledCipherSuite? It would be easier to run a TLS scanner against your server, like https://www.ssllabs.com/ssltest/ IF you can't reach your server from the internet (or don't want to use another tool to probe your server for whatever reason(, you can use this tool instead: https://protect2.fireeye.com/v1/url?k=b202f84c-ed99c17d-b202b8d7-86e2237f51fb-a4c999e453446754=1=e05b690a-668d-4b4d-b65d-1ff9c3a21e8d=https%3A%2F%2Fgithub.com%2FChristopherSchultz%2Fssltest Hope that helps, -chris [1] Pro tip: learn how to configure ALL your TLS connections properly, then do it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Embedded Tomcat 9.0.33
Abirami, On 3/20/21 11:36, S Abirami wrote: We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32 vulnerability, we have configured jdk.tls.disabled.algorithm to remove the encryption cipher have 64bit block size. I need a clarification whether JDK configuration is enough for embedded tomcat to avoid sweet32 attack or through IntrospectionUtils Whether we need to configure the ciphers list. While disabling the bulk encryption at the JVM level is probably the /safest/ thing to do, I would change the cipher suite string that Tomcat uses for TLS handshaking with its TLE-enabled connectors. Why? Because having configuration elsewhere can be confusing and surprising, and confusion and surprise are not friends of security. If you can disable those cipher suites via a , why bother to disable those algorithms at the JVM level? Well, if you have *outgoing* TLS connections and you aren't sure how to configure them properly[1], then this JVM setting will protect you all around. You shouldn't need IntrospectionUtils for anything. Whether there is any API to find the default list of cpihers active in Embedded tomcat similar to SSLSocket.getEnabledCipherSuite? It would be easier to run a TLS scanner against your server, like https://www.ssllabs.com/ssltest/ IF you can't reach your server from the internet (or don't want to use another tool to probe your server for whatever reason(, you can use this tool instead: https://github.com/ChristopherSchultz/ssltest Hope that helps, -chris [1] Pro tip: learn how to configure ALL your TLS connections properly, then do it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Embedded Tomcat 9.0.33
Hi ALL, We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32 vulnerability, we have configured jdk.tls.disabled.algorithm to remove the encryption cipher have 64bit block size. I need a clarification whether JDK configuration is enough for embedded tomcat to avoid sweet32 attack or through IntrospectionUtils Whether we need to configure the ciphers list. Whether there is any API to find the default list of cpihers active in Embedded tomcat similar to SSLSocket.getEnabledCipherSuite? Regards, Abirami.S
