On 14/07/2016 19:36, uzair rashid wrote: > Jeffrey, > > Working for a corporation that has strict ssl and security requirements.. > There is no way to use the tools you suggested, since the tomcat URLs are > not exposed.
That doesn't stop you setting up a stand-alone test instance using the same settings (with a different cert if you are especially paranoid) and checking those settings using the excellent ssllabs. Keeping your Tomcat and JVM versions up to date will also help. The Tomcat team periodically reviews Tomcat's default TLS configuration and adjusts it accordingly. For details of the most recent review see: https://wiki.apache.org/tomcat/Security/Ciphers Mark > > On Thu, Jul 14, 2016 at 8:41 AM, Jeffrey Janner <jeffrey.jan...@polydyne.com >> wrote: > >> Hi folks, >> >> I've been off the list for a bit, getting ducks in a row here and >> everything. >> I noticed a number of posts about SSL & TLS security settings lately and I >> wanted to point out that maintaining your SSL configurations is an on-going >> processes. >> New exploits are discovered and released quite often, and often the fault >> lies with a cipher and not necessarily an overall SSL/TLS protocol. >> So using a cipher list like "all except RC4" is probably not sufficient >> anymore. >> And what is secure may depend completely on the SSL/TLS software you use, >> be it OpenSSL or Java's built in SSL libraries. >> For example, with OpenSSL, you should be using 1.0.1t or higher, and even >> then only TLS1.2 with a handful of ciphers. >> I'm not sure what the recommended options for java's libraries are at the >> moment. >> A really good, free tool is Qualys' SSL Labs server test tool located at: >> https://www.ssllabs.com/ssltest/ >> Run that against your implementation and follow its recommendations. >> >> Of course, at the end of the day, it will be up to you and your firm to >> decide what risks you are willing to take with your SSL communications and >> whether or not you need to support insecure browsers, i.e. browsers that >> cannot negotiate up to the most secure protocol and ciphers. >> >> Jeffrey Janner >> p.s. Qualys also has a test suite for the browsers that you use. >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
