Re: Problem specifying cipher suites in tomcat6
2015-06-01 11:17 GMT+03:00 Ramon Pfeiffer ramon.pfeif...@uni-tuebingen.de: Am 29.05.2015 um 23:31 schrieb Christopher Schultz: Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. Apparently, I need to correct myself a bit. Tomcat6 is installed via the RHEL repositories, the latest version offered by RHEL is 6.0.24: # yum list tomcat6.x86_64 tomcat6.x86_64 6.0.24-83.el6_6 So it seems as if the latest version of tomcat6 is installed already, giving me the cipher suite headaches nonetheless. It is in the FAQ: https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5 [q] Moreover, some of those packages are notably outdated. [/q] If you need documentation for 6.0.24, see webapps/docs web application in your copy of Tomcat 6.0.24. That is unless you vendor have bundled it. Official downloads from tomcat.apache.org include the documentation. The online documentation is for the current version (6.0.44). Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
Am 29.05.2015 um 23:31 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ramon, On 5/29/15 4:42 PM, Ramon Pfeiffer wrote: On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. Apparently, I need to correct myself a bit. Tomcat6 is installed via the RHEL repositories, the latest version offered by RHEL is 6.0.24: # yum list tomcat6.x86_64 tomcat6.x86_64 6.0.24-83.el6_6 So it seems as if the latest version of tomcat6 is installed already, giving me the cipher suite headaches nonetheless. Any further ideas? Thanks, Ramon smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem specifying cipher suites in tomcat6
Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. Anyway, I'm working on a RHEL6 system. A java -version yields # java -version java version 1.7.0_79 OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) APR is not installed. Thanks, Ramon smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem specifying cipher suites in tomcat6
On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. Anyway, I'm working on a RHEL6 system. A java -version yields # java -version java version 1.7.0_79 OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) The fact that you're on a recent Java version will help a lot. APR is not installed. Thanks, Ramon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
On 5/29/2015 5:16 AM, David kerber wrote: On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. I can think of very few instances where a change in Tomcat broke my app. The only one I can really remember was a change that I initiated :) -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
RE: Problem specifying cipher suites in tomcat6
-Original Message- From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Sent: Friday, May 29, 2015 2:33 AM To: users@tomcat.apache.org Subject: Re: Problem specifying cipher suites in tomcat6 Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. Anyway, I'm working on a RHEL6 system. A java -version yields # java -version java version 1.7.0_79 OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) APR is not installed. Thanks, Ramon You should be able to upgrade to the latest version of Tomcat 7 with little to no problem. Get the latest release from the tomcat website, not the Red Hat RPM and you can install it in parallel with your existing Tomcat, so you can switch back quickly if you do experience a problem related to the upgrade. You will need to migrate your server.xml file and possibly you context.xml files as well, though unlikely in the latter case. I know that a lot depends on how tightly integrated your app is with tomcat, but I made the migration with almost no difficulty years ago. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
I had significant problems trying to uncover a change in tomcat7 that broke our app when upgrading from 42 to 57, for a couple weeks over Christmas holidays. Turns out it was something we shouldn't have been doing - but it was definitely a change in tomcat (51 or so) that resulted in the issue(s). Just something to keep in mind. On Fri, May 29, 2015 at 11:43 AM, George Sexton geor...@mhsoftware.com wrote: On 5/29/2015 5:16 AM, David kerber wrote: On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. I can think of very few instances where a change in Tomcat broke my app. The only one I can really remember was a change that I initiated :) -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Problem specifying cipher suites in tomcat6
Sean Dawson wrote: I had significant problems trying to uncover a change in tomcat7 that broke our app when upgrading from 42 to 57, for a couple weeks over Christmas holidays. Turns out it was something we shouldn't have been doing - you mean, apart from top-posting here ? but it was definitely a change in tomcat (51 or so) that resulted in the issue(s). Just something to keep in mind. Well yes, but in all truth, if you were doing something which you should not have been doing - and bonus points for admitting it - then you cannot really blame the tomcat developers for making a change which broke it, even over Christmas, can you ? At the contrary, you should be grateful : the fact that the change pointed out the bad thing in your code, may have prevented the later advent of a nuclear war. That would have been even less fun over Christmas. As a concession, maybe George's post below could have been prefixed with If your code is well-behaved, .. On Fri, May 29, 2015 at 11:43 AM, George Sexton geor...@mhsoftware.com wrote: On 5/29/2015 5:16 AM, David kerber wrote: On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. I can think of very few instances where a change in Tomcat broke my app. The only one I can really remember was a change that I initiated :) -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem specifying cipher suites in tomcat6
Chris, thanks for sharing this. I've recently ran across a similar tool: http://www.bolet.org/TestSSLServer/ That does the same thing as your code but may be a little bit more elaborate. It also has a source code on link. Since you has shared your code, I might as well share this - the more the better. George -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, May 29, 2015 3:32 PM To: Tomcat Users List Subject: Re: Problem specifying cipher suites in tomcat6 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ramon, On 5/29/15 4:42 PM, Ramon Pfeiffer wrote: On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. SSLLabs picks the ciphers it wants to check for; usually a group of good ciphers to make sure that you can support the latest-and-greatest ciphers, plus a bunch of them that are known to be broken (like most SSL-only ones). This tool may help you test, because it's a whole lot faster than SSLLabs' tests: http://markmail.org/message/tz4z44nfjl7sy2lj - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVaNqzAAoJEBzwKT+lPKRYyyIP/AxaJNDI8C98lGUGP4bqOFsm ZSxcfQG44mAFwBAMkW2oxfCCD7MDb8y9jQT5qyEv+eEgLd9kFjG1UOXogDKAm6dI d8lh10FSI/Wk4o7OMuWl7nCE8APzUAMCojJz3RxvMvJwFpyP6Te7Zl8baNHXUl2U zir68R9fTjT/UT9Wps6+gg5UWS/v08gzeBarizdk3QHtQrgXJamF9aLgJ+L7g3rX cJbxVKUBinznnDFZ3Z3r5RAM1dXRrVvUkKHzewBHtZSOzlXFEnj+vmw2XCu1rrph wdJURfX19KuONjGfkzLw5c3geL9nOwBfBP0D62DsivP2kdcpNCt7N/szFvB6ICUQ FcCGI57KGCGYGG3EF9SmbFrb0YORO5iR149SEXeoLzWz5O7rlqK5NClPOiyITIv2 n4yrbq7PlXZny3d9IRx801fhpetRKmmtRLHau+SmR4nf79VN/le7uee/Sehx+2bO WGyQZG+UO8brLozVvtNYutFVOphfO1YKOACKZfBmzCD1zGmEG8O1/9ApeMzlsnjE Bpg9fXS3YgPEKDSXFtS6wafz+CH+JuSHAhpkUVQ1I7XMHa/SGIVHAeRi4FCUZo6i 8iRnMVbD+4R8F6NupRvFQ7qeOnfI4E7wDfGYjW7sUd2XF/yVFsRALBiHaExCVp0g dG8GnIcirHHy+w3GwbUj =YI9Z -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem specifying cipher suites in tomcat6
I don't see where he blamed the developers for anything. The poster even admitted it was their fault. I think it is reasonable to warn the OP that any change can result in issue. Even if you're doing everything correctly, there is a change of running in a new Tomcat issue or a regression or what not. We as developers know that corner cases that have 1% of happening occur 50% of the time ;-) Any application server upgrade should be tested before deployed... My 2c George -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, May 29, 2015 12:12 PM To: Tomcat Users List Subject: Re: Problem specifying cipher suites in tomcat6 Sean Dawson wrote: I had significant problems trying to uncover a change in tomcat7 that broke our app when upgrading from 42 to 57, for a couple weeks over Christmas holidays. Turns out it was something we shouldn't have been doing - you mean, apart from top-posting here ? but it was definitely a change in tomcat (51 or so) that resulted in the issue(s). Just something to keep in mind. Well yes, but in all truth, if you were doing something which you should not have been doing - and bonus points for admitting it - then you cannot really blame the tomcat developers for making a change which broke it, even over Christmas, can you ? At the contrary, you should be grateful : the fact that the change pointed out the bad thing in your code, may have prevented the later advent of a nuclear war. That would have been even less fun over Christmas. As a concession, maybe George's post below could have been prefixed with If your code is well-behaved, .. On Fri, May 29, 2015 at 11:43 AM, George Sexton geor...@mhsoftware.com wrote: On 5/29/2015 5:16 AM, David kerber wrote: On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. I can think of very few instances where a change in Tomcat broke my app. The only one I can really remember was a change that I initiated :) -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Anyway, I'm working on a RHEL6 system. A java -version yields # java -version java version 1.7.0_79 OpenJDK Runtime Environment (rhel-2.5.5.3.el6_6-x86_64 u79-b14) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) So, no problem keeping the JVM up-to-date. You must have a testing process for that, right? Just use the same testing process after upgrading Tomcat. Once you're up-to-date on Tomcat 6.0.x, go ahead and try again with Tomcat 8.0.x. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVaLoeAAoJEBzwKT+lPKRYOq4P/RiGBu4V/2MXWkfSTzTaE9t7 rEDNibD6hMyWIGhuqlbAaZJ/jnUB8Hnnnu6TPttkhDCXxasKybC6htK4GlzHj8J8 vH4a0DfMR4NM3JQs4M38XYpl78mTMgv5079cHMasJsOfNpiGpJLIqyOTFB/LQV+i h8W1PLLBPQrbRITgAJNfAMUrvCQoRGx61Z8yptRA6TMN/jLEERGIJf20xBMqvBdW 08btc/o2LLVtsXctw7tlx/4FRyV9VxOEWwf9vYp4q4tGc1Rhiu4uB6YvC9PvVZQI FmElHOpwSq+GeauBlaRb2Y3EUEdPC1hZsmvHsy68X87Ni2gUT+7og7CygspWHmiV Hq9C4z/mo4lQWnHQfFmEx0hJ8tmiRyumtfZD01D8cnYWdW9eBH6J7bGeQVh81jx8 JYbqbIWkDEKpNhUIN7czlX1T/SNcA6+VGynajILx1+qHf6FbFyVJLbpElSKVV1UX YmXS6qIX7DlKvn80nZ81NB+WcmnfxZR7cn2ppKLGZyMSvVvY1AOXXF3vrFXfB2SG 2WZz4RbCulSY+s8qxzwhfhSagGWyn9ua5WrmDzeJ9tBplguIdvdHoXpwWOPbd3cW vlcgk9EYP2ooWawrQY+ltGNffuqtYzxjwrfo63PYAMuZDXpksSp5YJtDv4L+gsec s4wSnVMBakZ4lm70I/4/ =mSi+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
On Fri, May 29, 2015 at 3:30 PM, George Stanchev gstanc...@serena.com wrote: I don't see where he blamed the developers for anything. The poster even admitted it was their fault. I think it is reasonable to warn the OP that any change can result in issue. Even if you're doing everything correctly, there is a change of running in a new Tomcat issue or a regression or what not. We as developers know that corner cases that have 1% of happening occur 50% of the time ;-) Any application server upgrade should be tested before deployed... My 2c George Thanks George. There was also the change to unpack WAR files by default to the webapps folder (or something along those lines) and the bug related to certain cases of not being able to turn that back off... A known issue with FastDataInputStream (57173). See the changelog. Not intending to be antagonistic - just trying to give fair warning to OP. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, May 29, 2015 12:12 PM To: Tomcat Users List Subject: Re: Problem specifying cipher suites in tomcat6 Sean Dawson wrote: I had significant problems trying to uncover a change in tomcat7 that broke our app when upgrading from 42 to 57, for a couple weeks over Christmas holidays. Turns out it was something we shouldn't have been doing - you mean, apart from top-posting here ? but it was definitely a change in tomcat (51 or so) that resulted in the issue(s). Just something to keep in mind. Well yes, but in all truth, if you were doing something which you should not have been doing - and bonus points for admitting it - then you cannot really blame the tomcat developers for making a change which broke it, even over Christmas, can you ? At the contrary, you should be grateful : the fact that the change pointed out the bad thing in your code, may have prevented the later advent of a nuclear war. That would have been even less fun over Christmas. As a concession, maybe George's post below could have been prefixed with If your code is well-behaved, .. On Fri, May 29, 2015 at 11:43 AM, George Sexton geor...@mhsoftware.com wrote: On 5/29/2015 5:16 AM, David kerber wrote: On 5/29/2015 3:32 AM, Ramon Pfeiffer wrote: Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. There's a fair chance that you can update to the latest version of TC 6 without anything breaking, but of course that's not guaranteed. I can think of very few instances where a change in Tomcat broke my app. The only one I can really remember was a change that I initiated :) -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem specifying cipher suites in tomcat6
On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Thanks so far for all your responses (and corresponding warnings)! Ramon smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem specifying cipher suites in tomcat6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ramon, On 5/29/15 4:42 PM, Ramon Pfeiffer wrote: On 29.05.2015 21:12, Christopher Schultz wrote: Ramon, On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). Sadly, it's a system I inherited last year and now have the pleasure to work with. I can't update Tomcat for I don't know what will break. If you can't upgrade it, you are better-off shutting-down the service, because there are security vulnerabilities in there. So, ask your boss which is worse: shuttering the project, or getting a new version of Tomcat into a testing environment? Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. SSLLabs picks the ciphers it wants to check for; usually a group of good ciphers to make sure that you can support the latest-and-greatest ciphers, plus a bunch of them that are known to be broken (like most SSL-only ones). This tool may help you test, because it's a whole lot faster than SSLLabs' tests: http://markmail.org/message/tz4z44nfjl7sy2lj - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVaNqzAAoJEBzwKT+lPKRYyyIP/AxaJNDI8C98lGUGP4bqOFsm ZSxcfQG44mAFwBAMkW2oxfCCD7MDb8y9jQT5qyEv+eEgLd9kFjG1UOXogDKAm6dI d8lh10FSI/Wk4o7OMuWl7nCE8APzUAMCojJz3RxvMvJwFpyP6Te7Zl8baNHXUl2U zir68R9fTjT/UT9Wps6+gg5UWS/v08gzeBarizdk3QHtQrgXJamF9aLgJ+L7g3rX cJbxVKUBinznnDFZ3Z3r5RAM1dXRrVvUkKHzewBHtZSOzlXFEnj+vmw2XCu1rrph wdJURfX19KuONjGfkzLw5c3geL9nOwBfBP0D62DsivP2kdcpNCt7N/szFvB6ICUQ FcCGI57KGCGYGG3EF9SmbFrb0YORO5iR149SEXeoLzWz5O7rlqK5NClPOiyITIv2 n4yrbq7PlXZny3d9IRx801fhpetRKmmtRLHau+SmR4nf79VN/le7uee/Sehx+2bO WGyQZG+UO8brLozVvtNYutFVOphfO1YKOACKZfBmzCD1zGmEG8O1/9ApeMzlsnjE Bpg9fXS3YgPEKDSXFtS6wafz+CH+JuSHAhpkUVQ1I7XMHa/SGIVHAeRi4FCUZo6i 8iRnMVbD+4R8F6NupRvFQ7qeOnfI4E7wDfGYjW7sUd2XF/yVFsRALBiHaExCVp0g dG8GnIcirHHy+w3GwbUj =YI9Z -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem specifying cipher suites in tomcat6
From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem specifying cipher suites in tomcat6 I'm currently trying to specify a list of cipher suites to be used by my connector in Tomcat 6.0.24. Anybody can shed some light on what I did wrong? Using a version of Tomcat that's more than five years old is the first thing - there have been many, many security fixes since then, including some related to the ciphers attribute. You also need to tell us the JVM version, the platform you're running on, and whether or not APR is in use for this Connector (it's in the logs). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
