我正在尝试改进我的 webapp 允许的密码套件。
在 Tomcat 的 server.xml 中,我定义了以下连接器:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="3000" minSpareThreads="250" maxSpareThreads="500"
enableLookups="false" disableUploadTimeout="true"
acceptCount="1000" connectionTimeout="40000"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
ADH-AES256-SHA, AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA"
keystoreFile="REDACTED" keystorePass="REDACTED" />
服务器启动得很好。一切正常。但是,当我在服务器上运行sslscan时,256 位密码显示为不受支持。
(Abbreviated, sorted output)
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
此外,扫描显示首选服务器密码是“SSLv3 128 位 DHE-RSA-AES128-SHA”和“TLSv1 128 位 DHE-RSA-AES128-SHA”。如果 Tomcat 更愿意使用 128 位密码,我很好,但我想为任何严格的客户提供服务。
我忽略了什么?