-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tim,
On 3/3/13 4:18 PM, Tim Whittington wrote: > On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco > <giuse...@eppesuigoccas.homedns.org> wrote: [...] > >> I listed all providers here: >> http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html >> >> as you may see, a few of them are TLS_RSA and TLS_DHE: >> * TLS_RSA_WITH_AES_128_CBC_SHA * >> TLS_RSA_WITH_AES_256_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA >> >> They are also listed as "default" ciphers, so -- if I understood >> what default means -- they should not be enabled explicitly. >> >> They overlap with those client ciphers: >> TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA >> >> Is there any possibility that some of those server ciphers are >> disabled because of the algorithm used in the server certificate? >> Its signature algorithm is SHA1withDSA. I created it with this >> command line: keytool -genkeypair -alias tomcat -keystore >> ~tomcat6/.keystore > > Yes. If the server keys are DSA, then only cipher suites using > DSS/*DSA will be negotiated. In this case, the only DSS cipher > suite that your client appears to support is > TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6 or 7. Good catch. I recently tried to get a DSA key to work *at all* with Apache httpd and I simply could not. I didn't try too hard, honestly, because I didn't really care. My recommendation would be to stick with an RSA key unless you have some specific reason not to use one (and I'd like to hear that reason). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlE1QFIACgkQ9CaO5/Lv0PCdOQCdFA1+Yp3tgWYuzZp39wndEwyF aUkAmgLH2S+B6sH/ilgAJkCSsSTI/2xm =JDLH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org