![]() With that configuration, TLS 1.1 & 1.2 are enabled and work correctly - which is counter-intuitive to me, as I would expect that. In my vhosts config (everything else within which behaves as I would expect), I have the SSLProtocol line with -all +SSLv3. ![]() TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" Example JSSE Connector settings in $TOMCAT_BASE/conf/server. I have an Ubuntu 12.04.2 LTS server running Apache 2.2.22 with modssl and OpenSSL v1.0.1. Below are recommended cipher suites:Ĭiphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSLHonorCipherOrder on Apache Tomcat Using Java Secure Socket Extension (JSSE):Īpache Tomcat uses JSSE connector by default, as oppose to the Apache Portable Runtime (APR). SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL Old SSL/TLS protocol versions are vulnerable for the downgrade attacks such as POODLE (Padding Oracle On Downgraded Legacy Encryption) for SSLv3 or CRIME (. SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 We can use sclient to test SMTP protocol and port and then upgrade to TLS connection. This is because the resulting cipher suites require TLSv1.2. openssl sclient -connect :443 -CAfile /etc/ssl/CA.crt Connect Smtp and Upgrade To TLS. However, the user will need to use a recent web browser: Firefox > 70, Chrome > 79, Microsoft Edge, IE > 11. The SSLProtocol and SSLCipherSuite directives below are meant for high security information exchange between server and client. Not compatible with some client web browsers: OpenSSL set Cipher String to lower seclevel from 2 to 1, like so: DEFAULTSECLEVEL1 GnuTLS create overrides file and set priority string to: NORMAL NSS lower. ![]() Recommendations for Apache/mod_ssl: High security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |