-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote: > On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the > operating system's SSL support (which was how I thought it worked), > and directed to look through the system values to see what it > supports. What I found was: > > QSSLPCL *SEC Secure sockets layer protocols >> *OPSYS > (which I'm pretty sure means that all OS-supported protocols are > available; they can also be individually specified as any or all > of *TLSV1, *SSLV3, and *SSLV2) > > QSSLCSL *SEC Secure sockets layer cipher specification > list >> *RSA_AES_128_CBC_SHA *RSA_RC4_128_SHA *RSA_RC4_128_MD5 >> *RSA_AES_256_CBC_SHA *RSA_3DES_EDE_CBC_SHA *RSA_DES_CBC_SHA >> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 *RSA_NULL_SHA >> *RSA_NULL_MD5 > > and unfortunately, IBM doesn't backport new cipher suites to older > OS releases. Unfortunately, these ciphers suites should no longer be used for several reasons: >> *RSA_RC4_128_SHA *RSA_RC4_128_MD5 Use RC4 bulk cipher algorithm, which is known[1] to be weak. >> *RSA_EXPORT_RC4_40_MD5 *RSA_EXPORT_RC2_CBC_40_MD5 Export-grade encryption. No better than rot13[2]. >> *RSA_NULL_SHA *RSA_NULL_MD5 rot26! Twice as good! >> *RSA_DES_CBC_SHA Hideously outdated. I'm sorry, I don't have a reference for this one, but... >> *RSA_3DES_EDE_CBC_SHA 3DES (triple DES... literally DES(DES(DES(message)))) is considered weak[3], so... single-DES is weak(weak(weak(encryption))). >> *RSA_AES_128_CBC_SHA *RSA_AES_256_CBC_SHA Sadly, these remaining cipher suites use CBC mode which is also weak[4] when used with TLSv1 and earlier. Using TLSv1.2 mitigates these issues. Use of GCM would be better if you can use them. If this is all the client supports, then that's what you'll have to live with. But *definitely* disable all the other algorithms if you care even a little bit about your traffic. Are you able to use any other kind of client? Hope that helps, - -chris [1] https://blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-what [2] https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what - -you-need-to-know/ [3] https://community.qualys.com/thread/16555-triple-des-is-bad-now-sweet-32 - -cve-2016-2183-cve-2016-6329 [4] https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls (CBC=wea k) -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnVRNwdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhWkRAAkSaTqa3OPol82FGw 6LSkLouidyLWyry/WC60h326qbKZoVCoviCfkgRNQAd4lqqiClAncAW1Wl9/4V3d ijBCI/zDHzGXnsIzG8bQ5cz17FWSQIIWx02nb9VYha3t5MUGes3LHw3EStK/mKWU 6PcX50rm6XJssyUJLLvxKttRtBmEwXfJ1iklRvYhk2P5a35Sq4jp3hO3asZQ7S/L xAuBTX3vVl0HI2Zonl8486vdNrj/sEFow8DgudfJ86zXh2eLjLOgQhsL2V1ly2+U ButFwpTjqJTsrWIJcCdqJkJqeHm7oakPt9oVAr2tnltBz1Lxh23eXxTc4IxYTH/g 0IYywgcDdXlWF3T0aT50/sO8c/G3FiyaRvw0Q4q5Ifu9yq75EdGf8WgvXSH9iZYJ Xh+ozw2wIOTBTcthf+QKQJ5boNjD88f9IyW5PG09ZS3NiSR5BrHDI5dZNuflQ4u/ uVILyZVmNl30MotfJP8FtaWO5VBtnZvh674QmgVpg5IUFMkGo1fIHjBy3NfQaRLt fW5GvMemGAfATjFh6ElrkmKb6Whkz6qi27+OIZzpGHumN+ZJ7t5u9wy41UMgUqPl UTJmTUko9vlQkxCtcOrNcWVPAtzFRVBMYROyvUMb1ePwGugeiF36UEtybqjKVR8Z LEK/qYLdjWFBTc2JqkPBnlslSe4= =KGQL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
