-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/6/17 6:34 PM, James H. H. Lampert wrote: > On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote: > >> It might help to think of it like this: >> >> There are the ciphers that a JVM supports. The JVM only enables >> sub-set of the supported ciphers are enabled by default. Tomcat >> with a default configuration only uses a sub-set of the ciphers >> that the JVM enables by default. . . . It looks like you have an >> incompatible set of ciphers configured. >> >> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA >> is the least worse option. The Java name for this is: >> TLS_RSA_WITH_AES_256_CBC_SHA > > I should have tried this DAYS ago. There is also a Tomcat 7 server > installed on the Google Cloud server. With no apparent differences > in the Java list of available and "enabled-by-default" ciphers > between the two boxes, it's clear that the biggest single > difference that I'm actually able to do anything about is which > Tomcat server is running on 443. > > So with both Tomcat servers shut down, I switched Tomcat 7 over to > port 443, brought it up, and tried connecting to it from the same > program as before. > > This time, I got a 404. Not the least bit surprising, since the > webapp context isn't actually installed on the Tomcat 7 server. > > Incidentally, I also tried running the ssllabs.com test on the > Tomcat 7 server. The results weren't very meaningful: it only > listed the ECDHE suites, but then again, it only listed the ECDHE > suites when I tried it on one of our other Tomcat 7 servers. > >> Tomcat with a default configuration only uses a sub-set of the >> ciphers that the JVM enables by default. > > So is there a way, short of downloading and recompiling Tomcat > myself, to control what's in that default subset of a default > subset? Nope. You can't change the JVM (well, you CAN but it's not worth it) and you can't change Tomcat's further-restricted list of cipher suites. But it's got nearly everything you'd actually want in there, and it's even got some stuff you might actually NOT want in there, depending upon your level of paranoia. > Or failing that, is there a way, in my connector tag, to specify > "Use TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites > Tomcat 8.5 uses by default"? No. > Or do I need to list all the Tomcat 8.5 defaults in a "ciphers" > clause, along with the TLS_RSA_WITH_AES_256_CBC_SHA? You need to list everything. > Noting that my connector tag is written using Tomcat 7 connector > syntax, is there a good example of how to code a ciphers clause for > that tag? Tomcat 8.5+ and 9.0+ can do it... but nobody has written a command-line tool around that capability. (I could have sworn such a tool existed already. I guess I'll write one.) - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5/AdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh7nA/+Nq5pXhaL9++l2y8b LSVfaoy5PamsIFvn5paEchot2XfvoE4TXMWb3e5EmVPPk89QLZKn/jMzOukKs/9S 7g4QVtngxEfi9W48poj45abfwMk+Rh2Na4fNIwMLjNFFVYLH1AeuO/hvDk1/Zf0z mIgqa85OlMuwnpWF3AqWI/KEOi9d9PNOIm2TT8c+lI6WyR99M+FTWtt10Zlv/IFG 7JeSEbKURxkacOlwe6aR7Paa7Wt2LcUldYcAhmYwKJPvHJaYcs1ZdbvPsx2h8j2E eGBftxjl9+2cx0+5+tkQtl0nAotZmqoX3SsIgeDJWwUdUI/7iLkJMt/d8A1gdGgR AaCZgW09fn8MpzAaqqOz+FdqpNcldBsiut4o4gv+bUhDQClijvpz/LDKW02eJhEi 6/1U+Eqe5MyXj+zn02Am+z7uoyyU8H1F3QUEN1+OsKH3/AsOCZBwkqeBvig3a8Mb XXPCOUroDqW4zhvAd8/mk0tuoo2OZ+O3rd/VuZecDU7uuhclvgp7+orhsIwrDL0o jynVbIm0k2VPHPwDQRAL9scdXc0BGFih8D6tP9JBmIgVHQhHVoqbJkwfo+Zrer/L cLP7R2iBcg2d2EqYxlMXYmgVf4jnVcGTfn1n2V9Hc6YYhcLIxTF3s37xln2StERB 69veYEnl/qoqo/7IcKp5YrE+kP8= =w1+P -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
