RE: [OT] Request: Encryption requirements for TLS and SSL for Tomcat
Emen-Eddine, > -Original Message- > From: Christopher Schultz > Sent: Wednesday, June 09, 2021 9:08 AM > To: users@tomcat.apache.org > Subject: Re: [OT] Request: Encryption requirements for TLS and SSL for > Tomcat > > Emen-Eddine, > > On 6/8/21 08:10, Emen-Eddine AISSAOUI wrote: > > Hello, > > > > I am contacting you regarding the cipher suite recommandations for TLS > > and SSL for Tomcat. > > > > This is an urgent request for a customer feedback. > > Since this is a customer who is presumably paying YOU for YOUR services, this > is probably an urgent request for YOU. If your customer(s) want to pay US to > help them, it may become urgent for US. > > > Could you please tell us which cipher suites are used and necessary > > and if there is any particular prequesites regarding TLS and SSL > > encryption for the proper functioning of Tomcat ? > > Tomcat will use a combination of your configuration and system (JVM) > support to determine which cipher suites will be used. Assuming at least one > cipher suite is in that set, Tomcat will "work". None are actually necessary. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org If you're looking for actual cipher suite recommendations, I'm not going to make any but I will show you some useful resources. This is a list of the supported Java 11 cipher suites "sorted by order of preference." Hopefully good security is one of their preferences! https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2 This is another useful site with information on whether a cipher suite is recommended or not. https://ciphersuite.info/cs/ You can cross reference the lists from those two sites. John - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Request: Encryption requirements for TLS and SSL for Tomcat
Emen-Eddine, On 6/8/21 08:10, Emen-Eddine AISSAOUI wrote: Hello, I am contacting you regarding the cipher suite recommandations for TLS and SSL for Tomcat. This is an urgent request for a customer feedback. Since this is a customer who is presumably paying YOU for YOUR services, this is probably an urgent request for YOU. If your customer(s) want to pay US to help them, it may become urgent for US. Could you please tell us which cipher suites are used and necessary and if there is any particular prequesites regarding TLS and SSL encryption for the proper functioning of Tomcat ? Tomcat will use a combination of your configuration and system (JVM) support to determine which cipher suites will be used. Assuming at least one cipher suite is in that set, Tomcat will "work". None are actually necessary. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Request: Encryption requirements for TLS and SSL for Tomcat
On 08.06.21 14:10, Emen-Eddine AISSAOUI wrote: > Hello, > > I am contacting you regarding the cipher suite recommandations for TLS and > SSL for Tomcat. > > Could you please tell us which cipher suites are used and necessary and if > there is any particular prequesites regarding TLS and SSL encryption for the > proper functioning of Tomcat ? > > This is an urgent request for a customer feedback. Are you asking for the Java prerequisites? Bitsize for keys requirement? What do you call "proper functioning" of Tomcat? Because it functions quite properly with any (supported) TLS settings. In general, the recommendations for ciphers are independent of the app server, it's rather a common industry standard (changing over time), but heavily depends on the devices you need to support. Can't go without this rant with regards to your urgency: If you have customers paying /you/ for that information, how much of that money are you willing to share for a quicker answer, /tailored/ to your (customer's) /exact/ needs? Olaf
Request: Encryption requirements for TLS and SSL for Tomcat
Hello, I am contacting you regarding the cipher suite recommandations for TLS and SSL for Tomcat. Could you please tell us which cipher suites are used and necessary and if there is any particular prequesites regarding TLS and SSL encryption for the proper functioning of Tomcat ? This is an urgent request for a customer feedback. Thank you in advance. Kind Regards, Emen-Eddine