Re: BREAKTHROUGH (but not solved) Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

[Christopher Schultz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/9/17 5:19 PM, Christopher Schultz wrote:
> On 10/6/17 6:34 PM, James H. H. Lampert wrote:
>> Noting that my connector tag is written using Tomcat 7 connector 
>> syntax, is there a good example of how to code a ciphers clause
>> for that tag?
> 
> Tomcat 8.5+ and 9.0+ can do it... but nobody has written a 
> command-line tool around that capability. (I could have sworn such
> a tool existed already. I guess I'll write one.)

Okay, it's in Tomcat 9, now. Grab Tomcat 9 trunk, build it ("ant
deploy"), then run:

$ output/build/bin/ciphers.sh [cipherspec]

where "cipherspec" is an OpenSSL-style cipher suite spec, like:

$ output/build/bin/ciphers.sh 'DEFAULT'

This gives you the JVM's current default, and dumps-out all of the
IANA-style cipher suite names. So if you want to add one cipher suite
to the default Java suites, just do this:

$ output/build/bin/ciphers.sh 'DEFAULT'

and then add this to the end:

 TLS_RSA_WITH_AES_256_CBC_SHA

(Unless TLS_RSA_WITH_AES_256_CBC_SHA is already present in the list.)

Note that the "DEFAULT" list has a bunch of junk you don't need.
Specifically, you can probably get rid of all of these things with no
ill effects, and your configuration will "look" simpler:

$ ./bin/ciphers.sh '!PSK:!aNULL:!DSA:!SRP:!DSS:HIGH'

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb9NkdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFisoA//bj9GFzlMaZdPYXHt
y2iQIToESUg6Wa8vU5lQscLDfqtXeAIawiXusILz/th1fCu1usy8HeC/5nBINXAQ
McbEUSRiq6YitPXDIwXqbOGZS76vxmheFPTst6gHCN6hNOYbFEbejK3cxX8s0Bbg
kXtqcrnnN+a+J5UZmFeB3tctQfwsVLyGcvcwzDRTjFCIjrD1CwdEd+Ckk740jCFU
HXgEewO6rVnxAx80hP2c9ztsHblNt0KFm4zMtWjxmHTigac1EEA1ZAi5P3nIJu5n
7HIw0jVX3qZHamVHXWSPb7skEZY/wj7Kko8XmJFWS0bbwuaTQJ+Pr8ZJPT145/Tb
F0w6PqPqiR9sre7Yvy4v9y/QOqFjujEqMzkTNedRaBEItmzELPkYBBms2b2bkIVj
bMptV5FidCthzvJAnQ5efuiG9qYCuHajNEjQM4Mhu0t95yolmh4+yD2yxA4sS35W
YPxy24tgY9A2nNpJS+QSWtCzkQBJz+0Uxnw8y3AbW2oRkA649i+9+KppSAqCx7kH
QYUSwTD+7aETlVthfANEr5D/MbzJbflhTjXl/bZjuEc2p1tWPxZrqC+E8FwniMLL
NYwK4rMDrSZfrgY7mn6uPcTxzEIMTj/KvtaZCFY1GRAlAf16vNVlnCHQzMvlYKGW
gtqS2tF9DBurCs65qocxtWLAQwU=
=bEIh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org