tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "HowTo/SSLCiphers" by KonstantinKolinko
Date Thu, 10 Jan 2013 07:34:15 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "HowTo/SSLCiphers" page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/HowTo/SSLCiphers

Comment:
New FAQ page - how configure the list of ciphers on a Connector

New page:
= How do I restrict the list of SSL ciphers used by Connector =

Firstly, the configuration attribute and its values depend on what HTTPS implementation you
are using. You may be using either Java-based implementation aka JSSE &mdash; with BIO
and NIO connectors, or OpenSSL-based implementation &mdash; with APR connector.

'''Links:'''

 * [[http://tomcat.apache.org/tomcat-7.0-doc/config/http.html|HTTP Connector configuration
reference (Tomcat 7)]]

== Using Java implementation ==

For BIO and NIO connectors the attribute that specifies the list of ciphers is called '''ciphers'''
and multiple values are separated by a comma (`,`). For the list of possible values see the
list of cipher suite names for your version of Java, e.g.

 * [[http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames|Oracle
Java 6]]
 * [[http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames|Oracle
Java 7]]

See thread "Default SSL ciphers supported by Tomcat 6" from October 2009 [[http://markmail.org/message/zn4namfhypyxum23|here]]
for a short program that displays available ciphers in your particular JVM.

'''Sample configuration:'''

{{{
 ciphers="SSL_RSA_WITH_RC4_128_MD5,
           SSL_RSA_WITH_RC4_128_SHA,
           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
           TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
           TLS_ECDH_RSA_WITH_RC4_128_SHA"
}}}

== Using OpenSSL implementation (APR connector) ==

For APR connector the attribute that specifies the list of ciphers is called '''SSLCipherSuite'''
and multiple values are separated by a colon (`:`). Generally, it is configured in the same
way as `SSLCipherSuite` directive of [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite|mod_ssl
of Apache HTTPD server]].
For the list of possible values see [[http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html|OpenSSL
documentation]], or run `openssl.exe ciphers -v`.

'''Sample configurations:'''

a)
{{{
 SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW"
}}}

b)
{{{
 SSLCipherSuite="RC4-SHA"
}}}

----
[[CategoryFAQ]]

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message