Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

[SOLVED] Tomcat strong SSL security

Konstantin Boyandin
Konstantin Boyandin December 8, 2016

What are ciphers one should specify in Tomcat configuration, apart from

    sslProtocols="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"

?

The corresponding document has no recommendations for ciphers. Currently I see the latest Chrome reporting the below problem:

    The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256),
    and an obsolete cipher (AES_128_CBC with HMAC-SHA1). 

which means cipher list should be defined. Search over 'Net showed no definite up-to-date recommendations, all I have to do is to try list like

    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,
        TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
        TLS_RSA_WITH_AES_256_CBC_SHA"

and experiment with adding/deleting ciphers, but if someone has better ideas, I would be glad to know.

Answer
Watch
Like Be the first to like this
2767 views

1 answer

1 accepted

1 vote
Answer accepted
Roman Kirilenko
Roman Kirilenko
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 8, 2016

Hi Konstantin,


You can test your SSL with this tool. You'll get detailed explanations about insecure things in your SSL setup. After you correct them you should do SSL quality checks on a regular basis to maintain your SSL secure.

View More Comments
Konstantin Boyandin
Konstantin Boyandin December 9, 2016

The site is private and can't be checked directly (not allowed to do port forwarding to it); however, I tested A+ graded site and got the list of ciphers from the output.

Thanks, the answer is, as usually, obvious.

 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events