On 7/27/16, 9:20 AM, Mark Thomas wrote:
Note the results on the Wiki are the defaults with 7.0.69 which will be better than the defaults for 7.0.67. You should be able to achieve the same results with 7.0.67 by specifying specific ciphers.
I just entered, compiled, and ran the Java test program "SSLInfo" found at http://markmail.org/message/zn4namfhypyxum23 on the Java 6 JVM of our production AS/400, producing this list of supported ciphers in the JVM:
Default Cipher * SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA * SSL_DHE_DSS_WITH_AES_128_CBC_SHA * SSL_DHE_DSS_WITH_AES_256_CBC_SHA * SSL_DHE_DSS_WITH_DES_CBC_SHA * SSL_DHE_DSS_WITH_RC4_128_SHA * SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA * SSL_DHE_RSA_WITH_AES_128_CBC_SHA * SSL_DHE_RSA_WITH_AES_256_CBC_SHA * SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_AES_128_CBC_SHA SSL_DH_anon_WITH_AES_256_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5 SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA SSL_KRB5_EXPORT_WITH_RC4_40_MD5 SSL_KRB5_EXPORT_WITH_RC4_40_SHA SSL_KRB5_WITH_3DES_EDE_CBC_MD5 SSL_KRB5_WITH_3DES_EDE_CBC_SHA SSL_KRB5_WITH_DES_CBC_MD5 SSL_KRB5_WITH_DES_CBC_SHA SSL_KRB5_WITH_RC4_128_MD5 SSL_KRB5_WITH_RC4_128_SHA * SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA * SSL_RSA_FIPS_WITH_DES_CBC_SHA * SSL_RSA_WITH_3DES_EDE_CBC_SHA * SSL_RSA_WITH_AES_128_CBC_SHA * SSL_RSA_WITH_AES_256_CBC_SHA * SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * SSL_RSA_WITH_RC4_128_MD5 * SSL_RSA_WITH_RC4_128_SHA
From what I've read so far about specifying ciphers, I understand that this is done by adding "cipher" attribute, with a list of acceptable ciphers, to the connector tag in conf/server.xml. Am I correct so far?
At the moment, that connector tag looks like:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" compression="on" noCompressionUserAgents="gozilla, traviata" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="[REDACTED]" keyAlias="[REDACTED]" clientAuth="false" sslProtocol="TLS" />
So where do I go from there? -- James H. H. Lampert --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org