Embedded Tomcat 9.0.33

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Embedded Tomcat 9.0.33

S Abirami-2
Hi ALL,

We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32 vulnerability, we have configured jdk.tls.disabled.algorithm  to remove the encryption cipher have 64bit block size.

I need a clarification whether JDK configuration is enough for embedded tomcat to avoid sweet32 attack or through IntrospectionUtils Whether we need to configure the ciphers list.

Whether there is any API to find the default list of cpihers active in Embedded tomcat similar to SSLSocket.getEnabledCipherSuite?

Regards,
Abirami.S
Reply | Threaded
Open this post in threaded view
|

Re: Embedded Tomcat 9.0.33

Christopher Schultz-2
Abirami,

On 3/20/21 11:36, S Abirami wrote:
> We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32
> vulnerability, we have configured jdk.tls.disabled.algorithm  to
> remove the encryption cipher have 64bit block size.
>
> I need a clarification whether JDK configuration is enough for
> embedded tomcat to avoid sweet32 attack or through IntrospectionUtils
> Whether we need to configure the ciphers list.

While disabling the bulk encryption at the JVM level is probably the
/safest/ thing to do, I would change the cipher suite string that Tomcat
uses for TLS handshaking with its TLE-enabled connectors.

Why? Because having configuration elsewhere can be confusing and
surprising, and confusion and surprise are not friends of security.

If you can disable those cipher suites via a <Connector>, why bother to
disable those algorithms at the JVM level? Well, if you have *outgoing*
TLS connections and you aren't sure how to configure them properly[1],
then this JVM setting will protect you all around.

You shouldn't need IntrospectionUtils for anything.

> Whether there is any API to find the default list of cpihers active
> in Embedded tomcat similar to SSLSocket.getEnabledCipherSuite?

It would be easier to run a TLS scanner against your server, like
https://www.ssllabs.com/ssltest/

IF you can't reach your server from the internet (or don't want to use
another tool to probe your server for whatever reason(, you can use this
tool instead:
https://github.com/ChristopherSchultz/ssltest

Hope that helps,
-chris

[1] Pro tip: learn how to configure ALL your TLS connections properly,
then do it.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Embedded Tomcat 9.0.33

S Abirami-2
Thanks Christopher for detailed explanation with testing tools.

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Sunday, March 21, 2021 9:02 AM
To: [hidden email]
Subject: Re: Embedded Tomcat 9.0.33

Abirami,

On 3/20/21 11:36, S Abirami wrote:
> We have deployed embedded tomcat in RHEL 7 with jdk 1.8. For sweet32
> vulnerability, we have configured jdk.tls.disabled.algorithm  to
> remove the encryption cipher have 64bit block size.
>
> I need a clarification whether JDK configuration is enough for
> embedded tomcat to avoid sweet32 attack or through IntrospectionUtils
> Whether we need to configure the ciphers list.

While disabling the bulk encryption at the JVM level is probably the /safest/ thing to do, I would change the cipher suite string that Tomcat uses for TLS handshaking with its TLE-enabled connectors.

Why? Because having configuration elsewhere can be confusing and surprising, and confusion and surprise are not friends of security.

If you can disable those cipher suites via a <Connector>, why bother to disable those algorithms at the JVM level? Well, if you have *outgoing* TLS connections and you aren't sure how to configure them properly[1], then this JVM setting will protect you all around.

You shouldn't need IntrospectionUtils for anything.

> Whether there is any API to find the default list of cpihers active in
> Embedded tomcat similar to SSLSocket.getEnabledCipherSuite?

It would be easier to run a TLS scanner against your server, like https://www.ssllabs.com/ssltest/

IF you can't reach your server from the internet (or don't want to use another tool to probe your server for whatever reason(, you can use this tool instead:
https://protect2.fireeye.com/v1/url?k=b202f84c-ed99c17d-b202b8d7-86e2237f51fb-a4c999e453446754&q=1&e=e05b690a-668d-4b4d-b65d-1ff9c3a21e8d&u=https%3A%2F%2Fgithub.com%2FChristopherSchultz%2Fssltest

Hope that helps,
-chris

[1] Pro tip: learn how to configure ALL your TLS connections properly, then do it.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]