On 29.05.2015 21:12, Christopher Schultz wrote: > Ramon, > > On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: >> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: >>>> From: Ramon Pfeiffer [mailto:ramon.pfeif...@uni-tuebingen.de] >>>> Subject: Problem specifying cipher suites in tomcat6 >>> >>>> I'm currently trying to specify a list of cipher suites to be >>>> used by my connector in Tomcat 6.0.24. >>> >>>> Anybody can shed some light on what I did wrong? >>> >>> Using a version of Tomcat that's more than five years old is the >>> first thing - there have been many, many security fixes since >>> then, including some related to the ciphers attribute. You also >>> need to tell us the JVM version, the platform you're running on, >>> and whether or not APR is in use for this <Connector> (it's in >>> the logs). > >> Sadly, it's a system I inherited last year and now have the >> pleasure to work with. I can't update Tomcat for I don't know what >> will break. > > If you can't upgrade it, you are better-off shutting-down the service, > because there are security vulnerabilities in there. > > So, ask your boss which is worse: shuttering the project, or getting a > new version of Tomcat into a testing environment?
Shutting it down is not an option. So I guess next week will be... interesting. The important thing is this: Will the connector work in this configuration after I updated Tomcat? Or is the issue completely unrelated? Where are the ciphers shown by ssllabs taken from? Is the cipher attribute ignored? Thanks so far for all your responses (and corresponding warnings)! Ramon
smime.p7s
Description: S/MIME Cryptographic Signature
