Mark Thomas wrote:
Set the ciphers attribute on the connector. See
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html
I knew of this attribute, but I didn't know which
strong ciphers were supported by Tomcat 5.5, but
thanks to serversniff.de, the answer (empirically)
seems to be
EDH-RSA-DES-CBC3-SHA - 168 bit
DES-CBC3-SHA - 168 bit
DHE-RSA-AES128-SHA - 128 bit
AES128-SHA - 128 bit
RC4-SHA - 128 bit
RC4-MD5 - 128 bit
EDH-RSA-DES-CBC-SHA - 56 bit (!)
DES-CBC-SHA - 56 bit (!)
EXP-EDH-RSA-DES-CBC-SHA - 40 bit (!)
EXP-DES-CBC-SHA - 40 bit (!)
EXP-RC4-MD5 - 40 bit (!)
(the exclamation marks are serversniff's :-)
so I am proposing to add a Connector attribute
ciphers=EDH-RSA-DES-CBC3-SHA,DES-CBC3-SHA,DHE-RSA-AES128-SHA,AES128-SHA,RC4-SHA,RC4-MD5
and hope that every legitimate client supports at least one
of these?
Paul Singleton wrote:
According to the OWASP Web Application Penetration Checklist
(available from www.owasp.org), a secure application server
should:
* Ensure that supported SSL versions do not have
cryptographic weaknesses. Typically, this means
supporting SSL 3 and TLS 1.0 only.
Does a Connector attribute of
sslProtocol=TLS
force the use of TLS 1.0 only? Or TLS 1.0 and SSL 3.0?
* Ensure that the web server does not allow anonymous
key exchange methods. Typically ADH Anonymous
Diffie-Hellman.
Is is the case that
EDH-RSA-DES-CBC3-SHA
DHE-RSA-AES128-SHA
use ephemeral Diffie-Hellmann key exchange (as in EDH and
DHE) etc., and that
DES-CBC3-SHA - 168 bit
AES128-SHA - 128 bit
RC4-SHA - 128 bit
RC4-MD5 - 128 bit
use RSA (by default)?
* Ensure that weak algorithms are not available.
Typically, algorithms such as RC2 and DES.
I can't see any RC2 algorithms in the list above, so I
guess we're OK there. Both strong and weak DES algorithms
exist, so this requirement is a bit vague...
* Ensure the web site uses an appropriate length key.
Most web sites should enforce 128 bit encryption.
Would the ciphers attribute above guarantee this?
cheers
Paul Singleton
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.13/78 - Release Date: 19/Aug/2005
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]