2016-03-31 17:16 GMT+03:00 Apache Wiki <wikidi...@apache.org>: > Dear Wiki user, > > You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for > change notification. > > The "Security/Ciphers" page has been changed by markt: > https://wiki.apache.org/tomcat/Security/Ciphers?action=diff&rev1=14&rev2=15 > > Comment: > Update the Tomcat 8.5 results. Split out JSSE, JSSE+OpenSSL and OpenSSL into > separate tables > > > There is no right choice since there are always trade-offs to make between > better security better interoperability, better performance etc.. Where you > choose to draw that line is a choice you need to make. The following > information is provided to help you make that choice. The ratings provided > are those calculated by the excellent [[https://www.ssllabs.com/ssltest|SSL > Labs Test]]. Keep in mind that, as more vulnerabilities are discovered, these > ratings are only ever going to get worse over time. The results shown on this > page were correct at the time they were generated. > > - As of May 2015, 1024-bit DHE is > [[https://www.schneier.com/blog/archives/2015/05/the_logjam_and_.html|considered]] > [[https://weakdh.org/imperfect-forward-secrecy.pdf|breakable]] by > nation-state adversaries. 2048-bit DHE is recommended. 2048-bit DHE may be > configured with JSSE connectors (BIO, NIO, NIO2) using JVM parameter, and for > APR connector Apache Tomcat Native Library 1.2.2 (or later) should be used.
1). The above note was removed... > + == BIO/NIO/NIO2 with JSSE Results (Default) == > > > + == NIO/NIO2 with JSSE+OpenSSL Results (Default) == > + > + || || Java 5 || Java 6 || Java 7 || Java 8 || > + || Tomcat 8.5 || N/A || N/A || A || A || > + || Tomcat 9 || N/A || N/A || N/A || A || > + > + > - Note: Tomcat 9 with JSSE/OpenSSL and JSSE config requires a 1.2.6 tc-native > release to achieve an A since, without it, the full certificate chain is not > presented to the client. > + Note: JSSE+OpenSSL and JSSE config requires a 1.2.6 tc-native release to > achieve an A since, without it, the full certificate chain is not presented > to the client. > + > + The equivalent OpenSSL cipher configurations used to obtain the above > results are: > + > + || Java 7 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DHE || > + || Java 8 || HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA || > + > + Note: Java 7 DHE ciphers sue a 768 bit DH key which is considered insecure > which is why those ciphers are excluded only for Java 7. 2). Typo: s/ sue / use / 3). I do not understand the above Note. This section is "JSSE+OpenSSL", so it uses OpenSSL ciphers. The Java SSE implementation of those should not matter. To add here: Oracle Java 8 documentation to change size of a EDH key: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys The system property name is "jdk.tls.ephemeralDHKeySize". > + == APR with OpenSSL Results (Default) == --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
