On 8/29/2015 12:58 PM, George Sexton wrote:
On 8/25/2015 12:01 AM, Nikitha Benny wrote:
Hi All,
I am using Tomcat version 7.00.062 supported on JRE 8u45.
How do i disable the LogJam Vulnerability?
Here's a pretty nice article:
https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/
Here's the configuration I created using that article as a base:
Connector port=443 protocol=org.apache.coyote.http11.Http11NioProtocol
SSLEnabled=true
maxThreads=50
scheme=https
secure=true
connectionTimeout=4000
disableUploadTimeout=false
connectionUploadTimeout=90
maxPostSize=10485760
keystoreFile=${catalina.base}/conf/.keystore
keyAlias=tomcat
clientAuth=false
useServerCipherSuitesOrder=true
ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA /
It's giving me an A on SSLLabs
There's an updated connector configuration near the end.
I have added a line in the java.security file of the JRE.
jdk.tls.disabledAlgorithms=DH
Is this good enough? Or do we need to add DiffieHelmann also?
jdk.tls.disabledAlgorithms=DH, DiffieHellman
A good thing is testing using a service. Here's a link:
https://www.ssllabs.com/ssltest/
Which one solves the issue of LogJam?
Kindly help.
Regards,
Nikitha
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com