Over the last years, a lot has happened in SSL/TLS land. In 2011, the BEAST attack made it possible to decrypt session cookies. As a countermeasure, many people started preferring RC4 ciphers. Most vendors released security patches, lessening the need for server-side mitigations. Since RC4 is showing more and more weaknesses, this was probably a good thing. In this post we will explore the state of affairs regarding TLS when using Apache Tomcat, and we will try to find an optimal configuration.
First off, all the best for 2014 on behalf of the whole team at Eveoh. 2013 has been a great year in which we focused on improving maintainability of MyTimetable and upgrading customers to a recent version of MyTimetable. We released four new MyTimetable versions and welcomed valued new customers. For 2014, we will continue improving MyTimetable and expanding our business, and will release some frequently requested new features. More on that will be communicated in a future newsletter.
Our product MyTimetable supports multiple authentication backends, all thanks to Spring Security. Over the last years, we experienced some issues with certain authenticators. To help anyone experiencing the same issues, we summed up the issues we had with Waffle and OpenSSO/OpenAM below.
Over the past year it may have been quiet on this blog, but we have not been sitting on our hands. We upgraded our web sites (more on that later, in another post) and in January we started upgrading our clients to Mytimetable 2.1. Recently, we upped the version number to 2.2. This post gives an overview of the changes and explains our versioning policy.
Recently, we moved a part of our MyTimetable caching layer from Ehcache to Infinispan. We also started to cache more aggressively in order to optimise performance. In this post we discuss some of the challenges encoured when trying to configure Infinispan and JGroups from Spring.