Thanks Mark. It appears it is client (3rd party which requests to tomcta) to choose the cipher while negotiating. We can use SSLHonorCipherOrder to enforce the server's cipher order. I guess i got my answer.
-Thanks Utkarsh Dave On Fri, May 20, 2016 at 4:51 PM, Mark Thomas <ma...@apache.org> wrote: > On 20/05/2016 12:18, Utkarsh Dave wrote: > > Hi Mark - Thanks. > > SSLHonorCipherOrder, cna it be configured on Tomcat ? > > There would not have been much point telling you about a configuration > option you could not use would there? > > It sounds like you need to spend a few minutes looking over the TLS > configuration options for the APR/native HTTP connector: > > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > Mark > > > > > > -thanks > > > > On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote: > > > >> On 20/05/2016 12:04, Jan Dosoudil wrote: > >>> Hi, > >>> do you have Java Cryptography Extension (JCE) Unlimited Strength > >>> Jurisdiction Policy Files installed? > >> > >> Irrelevant. The OP is using APR / OpenSSL. > >> > >> The available ciphers are controlled by the SSLCipherSuite which follows > >> the OpenSSL config rules for ciphers. > >> > >> You can set SSLHonorCipherOrder to enforce the server's preference order > >> if you wish. > >> > >> Mark > >> > >> > >>> > >>> JD > >>> > >>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <utkarshkd...@gmail.com>: > >>> > >>>> Sorry, I missed that information in my earlier mail. > >>>> Tomcat - 7.0.69 configured for SSL > >>>> Connector - APR > >>>> Java - jdk1.7.0_101 > >>>> > >>>> > >>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org> > wrote: > >>>> > >>>>> On 20/05/2016 11:37, Utkarsh Dave wrote: > >>>>>> Hi Users and Tomcat team, > >>>>>> > >>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound > >>>>>> traffic from 3rd parties. > >>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA > over > >>>>> some > >>>>>> of the more secure cipher options offered by the 3rd party. The > >>>>>> 3rd party offers a list of 66 cipher suites that include many > >>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred > >>>> cipher > >>>>>> suite is AES256-SHA. > >>>>>> Can The tomcat be configured for ECDHE and DHE suites must be > >>>>>> available and preferred? > >>>>> > >>>>> Tomcat version? > >>>>> > >>>>> Connector type? > >>>>> > >>>>> Java version? > >>>>> > >>>>> Mark > >>>>> > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>>> > >>>>> > >>>> > >>> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
