On 25/05/2016 15:17, Utkarsh Dave wrote: > Hello Mark, > > I have a question for SSL Support - BIO and NIO. > It is mention that useServerCipherSuitesOrder can be used with Java 8 only > So is there a way (in java 7 and BIO and NIO support ) or another parameter > we can use with "ciphers" to force client follow the order of ciphers.
No. > The JSSE implementation guide documents that the client tells the server > which cipher suites it has available, and the server chooses the best > mutually acceptable cipher suite. Then the JSSE implementation guide is wrong. The client presents the ciphers it supports in client preference order and the server picks the first one it can support. Mark > > I am facing an issue where > > TLS_RSA_WITH_AES_256_CBC_SHA is being chosen from all other available > ECDHE and DHE suites. > > -Utkarsh > > > On Fri, May 20, 2016 at 4:51 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 20/05/2016 12:18, Utkarsh Dave wrote: >>> Hi Mark - Thanks. >>> SSLHonorCipherOrder, cna it be configured on Tomcat ? >> >> There would not have been much point telling you about a configuration >> option you could not use would there? >> >> It sounds like you need to spend a few minutes looking over the TLS >> configuration options for the APR/native HTTP connector: >> >> >> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native >> >> Mark >> >> >>> >>> -thanks >>> >>> On Fri, May 20, 2016 at 4:42 PM, Mark Thomas <ma...@apache.org> wrote: >>> >>>> On 20/05/2016 12:04, Jan Dosoudil wrote: >>>>> Hi, >>>>> do you have Java Cryptography Extension (JCE) Unlimited Strength >>>>> Jurisdiction Policy Files installed? >>>> >>>> Irrelevant. The OP is using APR / OpenSSL. >>>> >>>> The available ciphers are controlled by the SSLCipherSuite which follows >>>> the OpenSSL config rules for ciphers. >>>> >>>> You can set SSLHonorCipherOrder to enforce the server's preference order >>>> if you wish. >>>> >>>> Mark >>>> >>>> >>>>> >>>>> JD >>>>> >>>>> 2016-05-20 12:50 GMT+02:00 Utkarsh Dave <utkarshkd...@gmail.com>: >>>>> >>>>>> Sorry, I missed that information in my earlier mail. >>>>>> Tomcat - 7.0.69 configured for SSL >>>>>> Connector - APR >>>>>> Java - jdk1.7.0_101 >>>>>> >>>>>> >>>>>> On Fri, May 20, 2016 at 4:10 PM, Mark Thomas <ma...@apache.org> >> wrote: >>>>>> >>>>>>> On 20/05/2016 11:37, Utkarsh Dave wrote: >>>>>>>> Hi Users and Tomcat team, >>>>>>>> >>>>>>>> Port 8443 on my product is configured for Tomcat and accepts inbound >>>>>>>> traffic from 3rd parties. >>>>>>>> In the TLS handshake, Tomcat chooses TLS_RSA_WITH_AES_256_CBC_SHA >> over >>>>>>> some >>>>>>>> of the more secure cipher options offered by the 3rd party. The >>>>>>>> 3rd party offers a list of 66 cipher suites that include many >>>>>>>> ECDHE and DHE variants. Tomcat configured on my product preferred >>>>>> cipher >>>>>>>> suite is AES256-SHA. >>>>>>>> Can The tomcat be configured for ECDHE and DHE suites must be >>>>>>>> available and preferred? >>>>>>> >>>>>>> Tomcat version? >>>>>>> >>>>>>> Connector type? >>>>>>> >>>>>>> Java version? >>>>>>> >>>>>>> Mark >>>>>>> >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org