Databases
StackOverflow2013
Postsdbo
POEnabling strong ciphers in Tomcat 5
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POEnabling strong ciphers in Tomcat 5
    text
    copied!<p>I am attempting to refine the suite of ciphers that my webapp allows.</p> <p>In Tomcat's server.xml I have the following connector defined:</p> <pre><code>&lt;Connector port="443" maxHttpHeaderSize="8192" maxThreads="3000" minSpareThreads="250" maxSpareThreads="500" enableLookups="false" disableUploadTimeout="true" acceptCount="1000" connectionTimeout="40000" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, ADH-AES256-SHA, AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA" keystoreFile="REDACTED" keystorePass="REDACTED" /&gt; </code></pre> <p>The server starts just fine. Everything works. However, when I run <a href="http://sourceforge.net/projects/sslscan/" rel="nofollow noreferrer">sslscan</a> on the server, the 256 bit ciphers show as not being supported.</p> <pre><code>(Abbreviated, sorted output) Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits ADH-AES256-SHA Rejected TLSv1 256 bits AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Rejected TLSv1 256 bits DHE-RSA-AES256-SHA </code></pre> <p>Furthermore, the scan shows that the preferred Server ciphers are "SSLv3 128 bits DHE-RSA-AES128-SHA" and "TLSv1 128 bits DHE-RSA-AES128-SHA". I'm fine if Tomcat would prefer to work at 128 bit ciphers, but I would like to serve any strict clients who happen on by.</p> <p>What have I overlooked?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload