On 27/07/2016 19:05, James H. H. Lampert wrote: > On 7/27/16, 9:20 AM, Mark Thomas wrote: >> Note the results on the Wiki are the defaults with 7.0.69 which will be >> better than the defaults for 7.0.67. You should be able to achieve the >> same results with 7.0.67 by specifying specific ciphers. > > I just entered, compiled, and ran the Java test program "SSLInfo" found > at http://markmail.org/message/zn4namfhypyxum23 on the Java 6 JVM of our > production AS/400, producing this list of supported ciphers in the JVM:
OK. Taking that this and: - removing export ciphers (insecure) - removing anon cipher (insecure) - removing the kerberos (KRB5 ciphers - not used for TLS) - removing RC4 (insecure) - removing DES (insecure) - removing MD5 (insecure) - removing NULL (insecure) - removing DHE (insecure in Java 7 and below) - removing 3DES (insecure - only medium in OpenSSL speak) leaves you with a very short list. And even then it isn't a great list. Ideally you wouldn't use RSA either but it is your least bad choice at this point. >> Default Cipher >> * SSL_RSA_WITH_AES_128_CBC_SHA >> * SSL_RSA_WITH_AES_256_CBC_SHA > > From what I've read so far about specifying ciphers, I understand that > this is done by adding "cipher" attribute, with a list of acceptable > ciphers, to the connector tag in conf/server.xml. Am I correct so far? > > At the moment, that connector tag looks like: > >> <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" >> compression="on" noCompressionUserAgents="gozilla, traviata" >> maxThreads="150" SSLEnabled="true" scheme="https" >> secure="true" >> keystoreFile="[REDACTED]" keyAlias="[REDACTED]" >> clientAuth="false" sslProtocol="TLS" /> > > So where do I go from there? ciphers="SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA" Note since you are on Java 6 you can't force the server preference order on the client. You might want to drop the 128 bit version. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
