Below shown snippet is the ciphersuite configuration. Tomcat version 8.026 and JDK 1.8
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****" keyAlias="selfsigned.tomcat" keystoreType="JKS" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" useServerCipherSuitesOrder="true" server="APPSERVER" SSLDisableCompression="true" /> Tested with Nmap Check the server for the supported cipher suites. nmap -p 443 --script ssl-enum-ciphers.nse hostname The result shows server supports few ciphers with curves secp160k1,secp192k1, secp224k 1,secp256k1..etc configure Nmap to probe the server with only two curve sizes secp160k1,secp256k1 But this time server selects cipher supporting secp160k1 but not secp256k1 even though secp256k1 is mutually stronger one than secp160k1 How to enforce server to select the mutually existing higher curve size?