tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jack Ashburn" <>
Subject How is a cipher chosen when the "ciphers" attribute in server.xml is not specified?
Date Mon, 07 Aug 2006 10:50:04 GMT

I'm configuring my Tomcat server so that it uses a "strong" cipher for
SSL. From the docs in both Tomcat 4.1 and 5.0, the "ciphers" attribute
for the "connector" element in server.xml accepts "A comma seperated
[sic] list of the encryption ciphers that may be used. If not
specified, then any available cipher may be used."

My questions are:

1. When the "ciphers" attribute is not specified, how does Tomcat
choose the cipher to use from the "any available cipher[s]"?

2. Why doesn't Tomcat choose the strongest available ciphers from
what's made available to the Java runtime?

For question #2, I'm guessing (being not as knowledgeable in this area
as I'd like to be) it's because a "strong" cipher is only as strong as
a user perceives it to be, and therefore what is strongest for one
user may not be strongest for another. Also, the ciphers that are
available to choose from is dependent on the Java runtime version, the
runtime vendor (e.g., IBM JRE may have different ciphers from Sun JRE)
as well as the cryptography service providers that are made available
via the JRE's file.

Is this correct?

Thanks in advance!

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message