What are most people doing to detect so-called "weak" SSL ciphers in
Tomcat?
I've noted that I can configure the Tomcat Connector's 'ciphers' list to
specify only those that are not "weak," but I'm not sure how best to
generate that list. For example, how would I list all ciphers except
DES-CBC-SHA, EXP-RC4-MD5 and EXP-DES-CBC-SHA from what's offered by
default? Is there a way to get an exhaustive list of what ciphers
Tomcat's SSL will use on Java 5?
Or are people simply checking the javax.servlet.request.key_size
attribute to determine if it's at least 128 bits and then either
allowing the connection or redirecting to an error page or the like? It
seems like checking the javax.servlet.request.cipher_suite attribute
won't be enough because it lists all ciphers that it can use, not the
one that's actually being used.
Thanks,
David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]