On 13 April 2016 at 12:50, Mark Thomas <ma...@apache.org> wrote: > On 13/04/2016 12:43, Lyallex wrote: >> On 12 April 2016 at 19:26, Mark Thomas <ma...@apache.org> wrote: >>> On 12/04/2016 19:11, Lyallex wrote: >>>> On 12 April 2016 at 18:06, Lyallex <lyal...@gmail.com> wrote: >>>>> apache-tomcat-7.0.42 as standalone web server >>>>> jdk1.7.0_45 >>>>> Ubuntu 12.10 >>>>> >>>>> Greetings >>>>> >>>>> I'm sure this is an old chestnut but it's got me stumped >>>>> >>>>> I just purchased and installed my first ever ssl certificate >>>>> I had it installed and apparently running in no time. I should of >>>>> course have been suspicious that it all went so smoothly >>>>> but I though it was about time I got a break ... no such luck. >>>>> >>>>> Clicking the padlock in chrome I get >>>>> >>>>> Your connection to 192.168.1.68 is encrypted using an obsolete cipher >>>>> suit. >>>>> >>>>> The connection uses TLS 1.2. >>>>> >>>>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for >>>>> message authentication and ECDHE_RSA as the key exchange mechanism. >>>> >>>> jdk1.8.0.77 fixed it >>>> >>>> Should have know it was a Java (as opposed to Tomcat) problem >>>> >>>> as you were >>> >>> As of the next Tomcat 7 release, the SSL defaults have been improved so >>> a default configuration should not report any issues. >>> >>> Mark >> >> Now I'm confused, I thought Tomcat relied on the JSSE implementation >> in whatever version of Java that was used to start Tomcat >> to provide it's cipher suits. If this is correct how will a different >> version of Tomcat make a difference given that it's started with the >> same version of Java. If it's incorrect please forgive my boundlesss >> ignorance and stupidity. > > Happy to clarify. > > Tomcat is able to select which TLS versions and cipher suites are > enabled by default. The latest Tomcat version enables fewer cipher > suites by default (some less secure ones are removed) so the default > configuration is better. > > Users remain free to explicitly configure any cipher suite they wish > from those supported by the JSSE implementation provided by the JRE. > > Mark
Good morning After a long night trying to figure out why Tomcat would not run with Java 1.8 on centOS I've finally got it working (wrong processor architecture, rookie mistake, tired) ssllabs now gives my server a B which is way better that an F There is one thing outstanding that I'm just too tired to figure out at the moment and I'm hoping someone will put me out of my misery. The one thing failing is the key exchage My tomcat server uses RSA as the key exchange mechanism when it needs to be using ECDHE_RSA When I start reading documentation on cipher suites my head starts spinning Does anyone feel like letting me know how to get tomcat to use ECDHE_RSA for the key exchange? Thanks I gotta get some sleep TTFN --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
