On 7/27/16, 9:20 AM, Mark Thomas wrote:
Note the results on the Wiki are the defaults with 7.0.69 which will be
better than the defaults for 7.0.67. You should be able to achieve the
same results with 7.0.67 by specifying specific ciphers.
I just entered, compiled, and ran the Java test program "SSLInfo" found
at http://markmail.org/message/zn4namfhypyxum23 on the Java 6 JVM of our
production AS/400, producing this list of supported ciphers in the JVM:
Default Cipher
* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_DSS_WITH_AES_128_CBC_SHA
* SSL_DHE_DSS_WITH_AES_256_CBC_SHA
* SSL_DHE_DSS_WITH_DES_CBC_SHA
* SSL_DHE_DSS_WITH_RC4_128_SHA
* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_DHE_RSA_WITH_AES_128_CBC_SHA
* SSL_DHE_RSA_WITH_AES_256_CBC_SHA
* SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_MD5
SSL_KRB5_EXPORT_WITH_DES_CBC_40_SHA
SSL_KRB5_EXPORT_WITH_RC4_40_MD5
SSL_KRB5_EXPORT_WITH_RC4_40_SHA
SSL_KRB5_WITH_3DES_EDE_CBC_MD5
SSL_KRB5_WITH_3DES_EDE_CBC_SHA
SSL_KRB5_WITH_DES_CBC_MD5
SSL_KRB5_WITH_DES_CBC_SHA
SSL_KRB5_WITH_RC4_128_MD5
SSL_KRB5_WITH_RC4_128_SHA
* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
* SSL_RSA_EXPORT_WITH_RC4_40_MD5
* SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_FIPS_WITH_DES_CBC_SHA
* SSL_RSA_WITH_3DES_EDE_CBC_SHA
* SSL_RSA_WITH_AES_128_CBC_SHA
* SSL_RSA_WITH_AES_256_CBC_SHA
* SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
* SSL_RSA_WITH_RC4_128_MD5
* SSL_RSA_WITH_RC4_128_SHA
From what I've read so far about specifying ciphers, I understand that
this is done by adding "cipher" attribute, with a list of acceptable
ciphers, to the connector tag in conf/server.xml. Am I correct so far?
At the moment, that connector tag looks like:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
compression="on" noCompressionUserAgents="gozilla, traviata"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="[REDACTED]" keyAlias="[REDACTED]"
clientAuth="false" sslProtocol="TLS" />
So where do I go from there?
--
James H. H. Lampert
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
