-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ramon,
On 5/29/15 4:42 PM, Ramon Pfeiffer wrote: > On 29.05.2015 21:12, Christopher Schultz wrote: >> Ramon, >> >> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote: >>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R: >>>>> From: Ramon Pfeiffer >>>>> [mailto:ramon.pfeif...@uni-tuebingen.de] Subject: Problem >>>>> specifying cipher suites in tomcat6 >>>> >>>>> I'm currently trying to specify a list of cipher suites to >>>>> be used by my connector in Tomcat 6.0.24. >>>> >>>>> Anybody can shed some light on what I did wrong? >>>> >>>> Using a version of Tomcat that's more than five years old is >>>> the first thing - there have been many, many security fixes >>>> since then, including some related to the ciphers attribute. >>>> You also need to tell us the JVM version, the platform you're >>>> running on, and whether or not APR is in use for this >>>> <Connector> (it's in the logs). >> >>> Sadly, it's a system I inherited last year and now have the >>> pleasure to work with. I can't update Tomcat for I don't know >>> what will break. >> >> If you can't upgrade it, you are better-off shutting-down the >> service, because there are security vulnerabilities in there. >> >> So, ask your boss which is worse: shuttering the project, or >> getting a new version of Tomcat into a testing environment? > > Shutting it down is not an option. So I guess next week will be... > interesting. > > The important thing is this: Will the connector work in this > configuration after I updated Tomcat? Or is the issue completely > unrelated? Where are the ciphers shown by ssllabs taken from? Is > the cipher attribute ignored? Lots of things have been fixed/added in more recent versions of Tomcat 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't even need to deploy your own web application on it; just configure it for SSL and hit the default web application (the Tomcat documentation), or the examples, or whatever. SSLLabs picks the ciphers it wants to check for; usually a group of "good" ciphers to make sure that you can support the latest-and-greatest ciphers, plus a bunch of them that are known to be broken (like most SSL-only ones). This tool may help you test, because it's a whole lot faster than SSLLabs' tests: http://markmail.org/message/tz4z44nfjl7sy2lj - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVaNqzAAoJEBzwKT+lPKRYyyIP/AxaJNDI8C98lGUGP4bqOFsm ZSxcfQG44mAFwBAMkW2oxfCCD7MDb8y9jQT5qyEv+eEgLd9kFjG1UOXogDKAm6dI d8lh10FSI/Wk4o7OMuWl7nCE8APzUAMCojJz3RxvMvJwFpyP6Te7Zl8baNHXUl2U zir68R9fTjT/UT9Wps6+gg5UWS/v08gzeBarizdk3QHtQrgXJamF9aLgJ+L7g3rX cJbxVKUBinznnDFZ3Z3r5RAM1dXRrVvUkKHzewBHtZSOzlXFEnj+vmw2XCu1rrph wdJURfX19KuONjGfkzLw5c3geL9nOwBfBP0D62DsivP2kdcpNCt7N/szFvB6ICUQ FcCGI57KGCGYGG3EF9SmbFrb0YORO5iR149SEXeoLzWz5O7rlqK5NClPOiyITIv2 n4yrbq7PlXZny3d9IRx801fhpetRKmmtRLHau+SmR4nf79VN/le7uee/Sehx+2bO WGyQZG+UO8brLozVvtNYutFVOphfO1YKOACKZfBmzCD1zGmEG8O1/9ApeMzlsnjE Bpg9fXS3YgPEKDSXFtS6wafz+CH+JuSHAhpkUVQ1I7XMHa/SGIVHAeRi4FCUZo6i 8iRnMVbD+4R8F6NupRvFQ7qeOnfI4E7wDfGYjW7sUd2XF/yVFsRALBiHaExCVp0g dG8GnIcirHHy+w3GwbUj =YI9Z -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
