Re: Problem specifying cipher suites in tomcat6

[Ramon Pfeiffer <ra...@uni-tuebingen.de>]

Am 29.05.2015 um 23:31 schrieb Christopher Schultz:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ramon,
>
> On 5/29/15 4:42 PM, Ramon Pfeiffer wrote:
>> On 29.05.2015 21:12, Christopher Schultz wrote:
>>> Ramon,
>>>
>>> On 5/29/15 3:32 AM, Ramon Pfeiffer wrote:
>>>> Am 28.05.2015 um 18:56 schrieb Caldarale, Charles R:
>>>>>> From: Ramon Pfeiffer
>>>>>> [mailto:ramon.pfeiffer@uni-tuebingen.de] Subject: Problem
>>>>>> specifying cipher suites in tomcat6
>>>>>
>>>>>> I'm currently trying to specify a list of cipher suites to
>>>>>> be used by my connector in Tomcat 6.0.24.
>>>>>
>>>>>> Anybody can shed some light on what I did wrong?
>>>>>
>>>>> Using a version of Tomcat that's more than five years old is
>>>>> the first thing - there have been many, many security fixes
>>>>> since then, including some related to the ciphers attribute.
>>>>> You also need to tell us the JVM version, the platform you're
>>>>> running on, and whether or not APR is in use for this
>>>>> <Connector> (it's in the logs).
>>>
>>>> Sadly, it's a system I inherited last year and now have the
>>>> pleasure to work with. I can't update Tomcat for I don't know
>>>> what will break.
>>>
>>> If you can't upgrade it, you are better-off shutting-down the
>>> service, because there are security vulnerabilities in there.
>>>
>>> So, ask your boss which is worse: shuttering the project, or
>>> getting a new version of Tomcat into a testing environment?
>>
>> Shutting it down is not an option. So I guess next week will be...
>> interesting.
>>
>> The important thing is this: Will the connector work in this
>> configuration after I updated Tomcat? Or is the issue completely
>> unrelated? Where are the ciphers shown by ssllabs taken from? Is
>> the cipher attribute ignored?
>
> Lots of things have been fixed/added in more recent versions of Tomcat
> 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't
> even need to deploy your own web application on it; just configure it
> for SSL and hit the default web application (the Tomcat
> documentation), or the examples, or whatever.
>

Apparently, I need to correct myself a bit. Tomcat6 is installed via the 
RHEL repositories, the latest version offered by RHEL is 6.0.24:
# yum list tomcat6.x86_64
tomcat6.x86_64		6.0.24-83.el6_6

So it seems as if the latest version of tomcat6 is installed already, 
giving me the cipher suite headaches nonetheless.

Any further ideas?

Thanks,
Ramon

Re: Problem specifying cipher suites in tomcat6

[Konstantin Kolinko <kn...@gmail.com>]

2015-06-01 11:17 GMT+03:00 Ramon Pfeiffer <ra...@uni-tuebingen.de>:
> Am 29.05.2015 um 23:31 schrieb Christopher Schultz:
>>
>> Lots of things have been fixed/added in more recent versions of Tomcat
>> 6.0.x. Please give a quick test against Tomcat 6.0.latest: you don't
>> even need to deploy your own web application on it; just configure it
>> for SSL and hit the default web application (the Tomcat
>> documentation), or the examples, or whatever.
>>
>
> Apparently, I need to correct myself a bit. Tomcat6 is installed via the
> RHEL repositories, the latest version offered by RHEL is 6.0.24:
> # yum list tomcat6.x86_64
> tomcat6.x86_64          6.0.24-83.el6_6
>
> So it seems as if the latest version of tomcat6 is installed already, giving
> me the cipher suite headaches nonetheless.

It is in the FAQ:
https://wiki.apache.org/tomcat/FAQ/Linux_Unix#Q5

[q] Moreover, some of those packages are notably outdated. [/q]

If you need documentation for 6.0.24, see "webapps/docs" web
application in your copy of Tomcat 6.0.24. That is unless you vendor
have bundled it. Official downloads from tomcat.apache.org include the
documentation.

The online documentation is for the current version (6.0.44).

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org