2015-05-21 2:22 GMT+03:00 Glen Peterson <g...@organicdesign.org>: > OS: Linux i386 2.6.18-404.el5 > Java: Oracle Corporation Java HotSpot(TM) Server VM 1.8.0_45 > Tomcat: Apache Tomcat/8.0.21 > > On Wed, May 20, 2015 at 7:12 PM, Glen Peterson <g...@organicdesign.org> wrote: >> I've been using Tomcat as a stand-alone web server for years. Last >> year, I started testing my site here: >> https://www.ssllabs.com/ssltest >> >> I notice that there are only 3 fully secure cipher-suites left (there >> were 6 left 2 months ago). Also, I only get an A, not an A+ due to >> "TLS_FALLBACK_SCSV not supported." >> >> According to this: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=57464 >> >> my issue is that I need openssl version 1.0.1j. >> >> I just downloaded and built my openssl 1.02 from the latest sources >> and installed it. As tomcat, (or root) I can now see the new version: >> openssl version >> OpenSSL 1.0.2a 19 Mar 2015 >> >> I stopped and started Tomcat, ran the ssllabs test, and got EXACTLY >> the same result I had with the old version of openssl. I think it >> must use some Java cryptography libraries instead. So the >> cipher-suites Tomcat supports are tied to the version of Java I have >> installed, not the version of OpenSSL (even though a lot of the >> configuration syntax is identical). >> >> I think that most people run apache-httpd and let it handle >> encryption, serving static files, and a whole bunch of other stuff, >> then they run Tomcat behind it, or within it, as a kind of plug-in, or >> extra. I've always avoided that because there are whole books about >> how to configure apache-httpd securely. It's one more thing to >> update, maintain, etc. Is it worth it? >> >> I'm aware of a "tomcat native" that uses it's own openssl version, but >> I've never tried it, nor do I know anyone who uses it. Of course, >> that's a new thing to learn, but presumably, it's tied to the regular >> Tomcat, so they don't have to be upgraded separately. >> >> Thoughts?
1) If you want to use OpenSSL library you need an "APR/native" implementation of HTTP connector (org.apache.coyote.http11.Http11AprProtocol) See "protocol" attribute in http://tomcat.apache.org/tomcat-8.0-doc/config/http.html Also http://tomcat.apache.org/tomcat-8.0-doc/apr.html http://tomcat.apache.org/native-doc/ All pure-java connectors (BIO, NIO, NIO2) do not use OpenSSL library. 2) Recommended configuration of ciphers is documented at FAQ -> Security (in the wiki). https://wiki.apache.org/tomcat/Security/Ciphers Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
