-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Konstantin,
On 5/21/15 8:35 AM, Konstantin Kolinko wrote: > 2015-05-21 2:22 GMT+03:00 Glen Peterson <g...@organicdesign.org>: >> OS: Linux i386 2.6.18-404.el5 Java: Oracle Corporation Java >> HotSpot(TM) Server VM 1.8.0_45 Tomcat: Apache Tomcat/8.0.21 >> >> On Wed, May 20, 2015 at 7:12 PM, Glen Peterson >> <g...@organicdesign.org> wrote: >>> I've been using Tomcat as a stand-alone web server for years. >>> Last year, I started testing my site here: >>> https://www.ssllabs.com/ssltest >>> >>> I notice that there are only 3 fully secure cipher-suites left >>> (there were 6 left 2 months ago). Also, I only get an A, not >>> an A+ due to "TLS_FALLBACK_SCSV not supported." >>> >>> According to this: >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=57464 >>> >>> my issue is that I need openssl version 1.0.1j. >>> >>> I just downloaded and built my openssl 1.02 from the latest >>> sources and installed it. As tomcat, (or root) I can now see >>> the new version: openssl version OpenSSL 1.0.2a 19 Mar 2015 >>> >>> I stopped and started Tomcat, ran the ssllabs test, and got >>> EXACTLY the same result I had with the old version of openssl. >>> I think it must use some Java cryptography libraries instead. >>> So the cipher-suites Tomcat supports are tied to the version of >>> Java I have installed, not the version of OpenSSL (even though >>> a lot of the configuration syntax is identical). >>> >>> I think that most people run apache-httpd and let it handle >>> encryption, serving static files, and a whole bunch of other >>> stuff, then they run Tomcat behind it, or within it, as a kind >>> of plug-in, or extra. I've always avoided that because there >>> are whole books about how to configure apache-httpd securely. >>> It's one more thing to update, maintain, etc. Is it worth it? >>> >>> I'm aware of a "tomcat native" that uses it's own openssl >>> version, but I've never tried it, nor do I know anyone who uses >>> it. Of course, that's a new thing to learn, but presumably, >>> it's tied to the regular Tomcat, so they don't have to be >>> upgraded separately. >>> >>> Thoughts? > > > 1) If you want to use OpenSSL library you need an "APR/native" > implementation of HTTP connector > (org.apache.coyote.http11.Http11AprProtocol) To be perfectly clear, you will need the following to use the APR-based connector: 1. The APR library itself (available in most Linux distros' package managers; might already be installed on CentOS/RHEL like you have) 2. OpenSSL latest 3. The Tomcat native library (while available in some Linux distros' package managers, I'd recommend compiling it yourself), built against the most up-to-date OpenSSL you can - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVXggyAAoJEBzwKT+lPKRY4v8QALCQbGl2z1ynjYTC9w0NMvNz YK4AVkXOQyvjsIuI9aN2ZA/z8TVPOozyANF1+pt1XniDALs/mQJ0UOppc0lz+ICu IincXBWQ/B6shefOqKpLg2dhZUm0+Iqu62SmPa++Y7uFr4yC+RvBUye5JUiJTuUT DKI1YOp8BLT/Nc/Qpu7J7nSDHp+gi3etv4mUblBcwXkAcfzHJNjXc1VnrWDSPpdR YcepXHbERG4YjlH93jb3USYRs91MClq9NAlnuZU8WAQXCOxV2s31tvl5MbsIMqtw EQCA462wZVdwOOum0/eztjvJ+TvlAb25yfxT2QoIlKsaiXL5dOApKQ88tmD9SCC4 F2tZqrmZrSWbQV43w7BSScgDP8RZHw+pGhv5jWXqfqBjStAJiHE/7/A2aGlonTfV PRU6guvd09O6GLr604cKmXkU6rt5NukdJPuxIQFYl2CkMfKYyVDjK1KGmLrteISA qoTLEL3KKSSydq5UMB3B6ksDacKGjuuqIyLnEt13bnMLh/3Yl9Tqtqn/DLksYltx aEsbNSNUKe4Yn9sHuS6qCQ4IVQsNSZr+HzC6d7bM75oyF6W1qJ5YCHNko3ZjeZze 11KMchSnykHB0Y4ByzgTu9tJ6QXEx8KplGiBuJqoXDKuAXivxKbb/LTg6a8hXMAk MQvOhL7Ft8N+ACBR8GO/ =amva -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
