James,
> On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote: > >> It might help to think of it like this: >> >> There are the ciphers that a JVM supports. >> The JVM only enables sub-set of the supported ciphers are enabled by >> default. >> Tomcat with a default configuration only uses a sub-set of the ciphers >> that the JVM enables by default. >> . . . >> It looks like you have an incompatible set of ciphers configured. >> >> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA is the >> least worse option. The Java name for this is: >> TLS_RSA_WITH_AES_256_CBC_SHA > > I should have tried this DAYS ago. There is also a Tomcat 7 server installed > on the Google Cloud server. With no apparent differences in the Java list of > available and "enabled-by-default" ciphers between the two boxes, it's clear > that the biggest single difference that I'm actually able to do anything > about is which Tomcat server is running on 443. > > So with both Tomcat servers shut down, I switched Tomcat 7 over to port 443, > brought it up, and tried connecting to it from the same program as before. > > This time, I got a 404. Not the least bit surprising, since the webapp > context isn't actually installed on the Tomcat 7 server. > > Incidentally, I also tried running the ssllabs.com <http://ssllabs.com/> test > on the Tomcat 7 server. The results weren't very meaningful: it only listed > the ECDHE suites, but then again, it only listed the ECDHE suites when I > tried it on one of our other Tomcat 7 servers. > > > Tomcat with a default configuration only uses a sub-set of the ciphers > > that the JVM enables by default. > > So is there a way, short of downloading and recompiling Tomcat myself, to > control what's in that default subset of a default subset? > > Or failing that, is there a way, in my connector tag, to specify "Use > TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites Tomcat 8.5 uses by > default"? > > Or do I need to list all the Tomcat 8.5 defaults in a "ciphers" clause, along > with the TLS_RSA_WITH_AES_256_CBC_SHA? > > Noting that my connector tag is written using Tomcat 7 connector syntax, is > there a good example of how to code a ciphers clause for that tag? > > -- > JHHL > Apparently Tomcat 7 syntax will not support openssl syntax like HIGH:+AES256:!MD5:... That will perfectly work with Tomcat 8.5 with the new ssl syntax, and that is a major achievement. A quick dig into tomcat7 conf and tested with docker will lead you to the following working ssl conf. Be aware that Java7 is not really able to handle modern ssl requirements like bit length > 1024bit or server cipher order. <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth=“false" sslProtocol="TLS" keystoreFile="${catalina.base}/conf/ssl/jssecacerts4" keystorePass="changeit" /> You may want to test a local ssl setup with the great testssl.sh tool by dirk wetter (https://testssl.sh <https://testssl.sh/>), also available on docker. I’ve picked the ciphers from the list that testssl.sh showed me for the standard conf of Tomcat 8.0.47 and JRE7 (RFC notation). Then I’ve added your requested cipher. HTH, Peter
