[Tomcat Wiki] Update of "Security/Ciphers" by OgnjenBlagojevic

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "Security/Ciphers" page has been changed by OgnjenBlagojevic:
https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=5&rev2=6

Comment:
Added information about 2048-bit DHE

  = TLS Cipher suite choice =
  
  There is no right choice since there are always trade-offs to make between better security better interoperability, better performance etc.. Where you choose to draw that line is a choice you need to make. The following information is provided to help you make that choice. The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are only ever going to get worse over time. The results shown on this page were correct at the time they were generated.
+ 
+ As of May 2015, 1024-bit DHE is [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]] [[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by nation-state adversaries. 2048-bit DHE is recommended. 2048-bit DHE may be configured with JSSE using JVM parameter, while latest released version of Apache Tomcat Native Library (1.1.33) does not support 2048-bit DHE. You may track native support [[https://bz.apache.org/bugzilla/show_bug.cgi?id=56108|here]]
+ 
  
  == JSSE (BIO/NIO/NIO2) Results (Default) ==
  
@@ -22, +25 @@

  
  == JSSE Settings for Improved Results ==
  
- To use these settings, set the ciphers attribute on your secure connector to the list of ciphers shown below. The list should be comma separated.
+ To use these settings:
  
+  1. Pass JVM parameter '''-Djdk.tls.ephemeralDHKeySize=2048''' to JVM running Tomcat.
+ 
+  1. Set the ciphers attribute on your secure connector to the list of ciphers shown below. The list should be comma separated.
+ 
-  * Java 5
+   * Java 5
-   * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 6
+   * Java 6
-   * TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 7
+   * Java 7
-   * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+     * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-  * Java 8
+   * Java 8
-   * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+    * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  
  ''(It might be nice to provide the OpenSSL-style cipher suites arcana for the versions of Tomcat that support it)''
  

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org