-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 2/6/19 12:21, James H. H. Lampert wrote: > Thanks. I do have some follow up questions > > On 2/6/19, 1:04 AM, Mark Thomas wrote: >> On the TLS Connector: >> >> sslEnabledProtocols="TLSv1.1,TLSv1.2" > > Ok. So the active connector we currently have for this particular > installation (which has multiple IP addresses, hence the "address" > clause) is: >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11Protocol" >> address="REDACTED" maxThreads="150" SSLEnabled="true" >> scheme="https" secure="true" keystoreFile="REDACTED" >> keyAlias="REDACTED" >> >> ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA" >> >> clientAuth="false" sslProtocol="TLS" /> > > So I can just add the sslEnabledProtcols clause to the end of > this? Be careful: specifying a specific list of cipher suites limits what the client+server will allow. You can handshake using TLSv1.2 but then use a crappy cipher which then actually reduces your security. For instance, the SSL_*CBC_SHA ciphers are all considered weak because of the use of CBC. https://crypto.stackexchange.com/a/52568 Unless you really need to be picky about the ciphers you support, you shouldn't use a very short list like this one you have here. When you upgrade from Tomcat 7, you should be able to use OpenSSL-style configuration, which means you don't have to list every single cipher suite you want to support -- you can say "anything that has EDCHE is cool" and let Tomcat figure out what the environment will support, for example. You can even say "anything but MD5" , etc. It's quite expressive and much better than individually whitelisting ciphers. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxcZdgACgkQHPApP6U8 pFizZxAAsglgKwMO3aoLxqq+A4rWS8Qn7DKkBgfUGbU+2RXyl3vLhwclvtjoObsh Llvce9LCmjmrZY1yKZcNe8sTU4dAbXQcjGr/Db7uEL8FWVZ8eF5jHZj5lQIt3FxZ qQ7/aEsFgWTvAlRHM5nGv9mkYP0t7MyBSn3YI3xrIrtv5x0bn62jjJHEn9jg+pP9 BLPujVi3qEQMH6lQfd7PM9M3QfRyNyzPHmdt+7KIy53WTDWEYnMo2KuXX8lO3yY/ OUkSiCuSAl1KunHRkt2J70UrEwfgtcEsVi3ZTGgQiBv+GAmVCwPfdm4tsP+4Zxkk Fs0eVKpcD0rcL1mCA6Twmrm0k7qbN07j9fuTsU9N+wyTlyLazGioLshb9TSx4Vws aWtA9m/hfjjNgQXzzEDwrjod+RuN3cEDquHJVIdBh7fSqsz3uCrMYstb4aj36mFK IIqjOfnyqel2TYsGVuSQFCIcDRrjdGEb1Ut4S4WCWtXAnKTHI8jT5X5AVxnS+CEy 4f6A/a3adQAGIc43gMP9kQAPxQOsUphkGk2ryYV5asCg/MBIg2MCk8OV8jxd7i8S TXAe44jgrBQPeMiKARbqzzzdyzMiW1XM/a5YQA5KprndNJf+0/pHZjzXRAWY7c+s dTcIp27HHz12Yi3uAlryidEKEe/rZ7pNFE5zLVWJyxfxSncvBDs= =idYY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
