I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for TLSv1.2. I then configured a list of strong ciphers only, that I wanted to use.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" clientAuth="false" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" keyAlias="tomcat" keystoreFile="/usr/share/tomcat/.keystore" keystorePass="**********" keystoreType="JKS" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256" /> I have tried running Tomcat with Java 7 and Java 8. Both of these should support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. I have downloaded the Java cryptographic extensions policy files for both Java 7 and Java 8. The only way I get a connection is when I add the following ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA According to the specification all these ciphers are correct names: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites According to the implementation in JSSE provider they are implemented as well to work with TLSv1.2 http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later. Also how come SSLLabs SSLTest tells me I do not have forward secrecy and are using RC4 ciphers. Thought when I set a limited list of ciphers only those can be used. I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat) to enable SSL debugging, but nothing shows up in the log files exec ${JAVACMD} $JAVA_OPTS $CATALINA_OPTS \ -classpath "$CLASSPATH" \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" ${DSECURITY_MANAGER} \ -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \ -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \ -Djavax.net.debug=ssl \ org.apache.catalina.startup.Bootstrap start
