On 20/12/2016 15:22, manjesh wrote: > thanks. I believe as a part of cipher negotiation the server (tomcat) > should do this rather than the provider (JDK/SunJC)
What is your basis for that believe? You need to point to the Java documentation that a) states this is the case and b) describes the API Tomcat should be using to do this. Mark > > On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > manjesh, > > On 12/20/16 6:19 AM, manjesh wrote: >>>> Below shown snippet is the ciphersuite configuration. Tomcat >>>> version 8.026 and JDK 1.8 >>>> >>>> >>>> <Connector port="443" >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>>> maxThreads="150" scheme="https" secure="true" SSLEnabled="true" >>>> clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" >>>> ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****" >>>> keyAlias="selfsigned.tomcat" keystoreType="JKS" >>>> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA >>>> _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ >>>> SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ >>>> AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ >>>> RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" >>>> useServerCipherSuitesOrder="true" server="APPSERVER" >>>> SSLDisableCompression="true" /> >>>> >>>> >>>> Tested with Nmap >>>> >>>> Check the server for the supported cipher suites. >>>> >>>> nmap -p 443 --script ssl-enum-ciphers.nse hostname >>>> >>>> The result shows server supports few ciphers with curves >>>> secp160k1,secp192k1, secp224k 1,secp256k1..etc >>>> >>>> configure Nmap to probe the server with only two curve sizes >>>> secp160k1,secp256k1 >>>> >>>> But this time server selects cipher supporting secp160k1 but >>>> not secp256k1 even though secp256k1 is mutually stronger one than >>>> secp160k1 >>>> >>>> How to enforce server to select the mutually existing higher curve >>>> size? > > I'm not sure Java allows you to select the specific curve you'd like > to use -- only the cipher suite, which doesn't specify a curve to use. > > -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
