You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Apache Wiki <wi...@apache.org> on 2015/03/06 12:46:53 UTC
[Tomcat Wiki] Update of "Security/Ciphers" by markt
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Security/Ciphers" page has been changed by markt:
https://wiki.apache.org/tomcat/Security/Ciphers
Comment:
Create page with results for current Tomcat 6 (6.0.44-dev)
New page:
= TLS Cipher suite choice =
There is no right choice since there are always trade-offs to make between better security better interoperability, better performance etc.. Where you choose to draw that line is a choice you need to make. The following information is provided to help you make that choice. The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are only ever going to get worse over time. The results shown on this page were correct at the time they were generated.
== JSSE (BIO/NIO/NIO2) Results (Default) ==
|| || Java 5 || Java 6 || Java 7 || Java 8 ||
|| Tomcat 6 || C || C || C || B ||
|| Tomcat 7 || N/A || TBC || TBC || TBC ||
|| Tomcat 8 || N/A || N/A || TBC || TBC ||
== JSSE (BIO/NIO/NIO2) Results (Improved) ==
|| || Java 5 || Java 6 || Java 7 || Java 8 ||
|| Tomcat 6 || B || B || A- || A ||
|| Tomcat 7 || N/A || TBC || TBC || TBC ||
|| Tomcat 8 || N/A || N/A || TBC || TBC ||
== JSSE Settings for Improved Results ==
To use these settings, set the ciphers attribute on your secure connector to the list of ciphers shown below. The list should be comma separated.
* Java 5
* TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* Java 6
* TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
* Java 7
* TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* Java 8
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
== Environment ==
The results above were generated with:
* Java 5, 64-bit, update 22
* Java 6, 64-bit, update 45
* Java 7, 64-bit, update 76
* Java 8, 64-bit, update 31
* Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled SSLv2 and SSLv3.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt
Posted by Mark Thomas <ma...@apache.org>.
On 06/03/2015 11:57, Konstantin Kolinko wrote:
> 2015-03-06 14:46 GMT+03:00 Apache Wiki <wi...@apache.org>:
>> Dear Wiki user,
>>
>> You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
>>
>> The "Security/Ciphers" page has been changed by markt:
>> https://wiki.apache.org/tomcat/Security/Ciphers
>>
>> Comment:
>> Create page with results for current Tomcat 6 (6.0.44-dev)
>>
>> New page:
>> = TLS Cipher suite choice =
>>
>> There is no right choice since there are always trade-offs to make between better security better interoperability, better performance etc.. Where you choose to draw that line is a choice you need to make. The following information is provided to help you make that choice. The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are only ever going to get worse over time. The results shown on this page were correct at the time they were generated.
>>
>> == JSSE (BIO/NIO/NIO2) Results (Default) ==
>>
>> || || Java 5 || Java 6 || Java 7 || Java 8 ||
>> || Tomcat 6 || C || C || C || B ||
>> || Tomcat 7 || N/A || TBC || TBC || TBC ||
>> || Tomcat 8 || N/A || N/A || TBC || TBC ||
>>
>>
>> == JSSE (BIO/NIO/NIO2) Results (Improved) ==
>>
>> || || Java 5 || Java 6 || Java 7 || Java 8 ||
>> || Tomcat 6 || B || B || A- || A ||
>
> Maybe list what "weak points" are hilited by the labs test for those
> B, A- results?
Partly because this is a constantly moving target and partly because I'd
rather folks explored this for themselves I'd prefer not to do that.
> IIRC, the SSLLabs tests display some list with items colored in red.
Assuming that a valid certificate is used, the only red is unsupported
clients which - given their age - is to be expected.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Tomcat Wiki] Update of "Security/Ciphers" by markt
Posted by Konstantin Kolinko <kn...@gmail.com>.
2015-03-06 14:46 GMT+03:00 Apache Wiki <wi...@apache.org>:
> Dear Wiki user,
>
> You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
>
> The "Security/Ciphers" page has been changed by markt:
> https://wiki.apache.org/tomcat/Security/Ciphers
>
> Comment:
> Create page with results for current Tomcat 6 (6.0.44-dev)
>
> New page:
> = TLS Cipher suite choice =
>
> There is no right choice since there are always trade-offs to make between better security better interoperability, better performance etc.. Where you choose to draw that line is a choice you need to make. The following information is provided to help you make that choice. The ratings provided are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these ratings are only ever going to get worse over time. The results shown on this page were correct at the time they were generated.
>
> == JSSE (BIO/NIO/NIO2) Results (Default) ==
>
> || || Java 5 || Java 6 || Java 7 || Java 8 ||
> || Tomcat 6 || C || C || C || B ||
> || Tomcat 7 || N/A || TBC || TBC || TBC ||
> || Tomcat 8 || N/A || N/A || TBC || TBC ||
>
>
> == JSSE (BIO/NIO/NIO2) Results (Improved) ==
>
> || || Java 5 || Java 6 || Java 7 || Java 8 ||
> || Tomcat 6 || B || B || A- || A ||
Maybe list what "weak points" are hilited by the labs test for those
B, A- results?
IIRC, the SSLLabs tests display some list with items colored in red.
> || Tomcat 7 || N/A || TBC || TBC || TBC ||
> || Tomcat 8 || N/A || N/A || TBC || TBC ||
>
>
> == JSSE Settings for Improved Results ==
>
> To use these settings, set the ciphers attribute on your secure connector to the list of ciphers shown below. The list should be comma separated.
>
> * Java 5
> * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> * Java 6
> * TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA
> * Java 7
> * TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> * Java 8
> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
>
>
> == Environment ==
>
> The results above were generated with:
> * Java 5, 64-bit, update 22
> * Java 6, 64-bit, update 45
> * Java 7, 64-bit, update 76
> * Java 8, 64-bit, update 31
> * Apache Tomcat 6.0.44-dev, r1664561. This is after the commit that disabled SSLv2 and SSLv3.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org