tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Restricting ciphers
Date Fri, 11 Jan 2013 15:51:34 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 1/10/13 10:35 PM, Martin Gainty wrote:
> its a simple question what does ciphers parameter in Connector
> have anything to do with the supported ciphers from the key itself
> the 2 are disconnected

Supported ciphers may be set in the connector without regard to any
details of the server's X509 key or the certificate created with it.

You can have an RSA key and still support RC4-SHA as one of your
ciphers. Likewise, you can use a DSA key (for which OpenSSL always
uses MD5 as the signature algorithm) with ciphers that use SHA1 as the
signature algorithm.

Keys/certs and ciphers are entirely orthogonal in the algorithms they
support. SSL uses asymmetric encryption to exchange symmetric cipher
keys using any cipher upon which the server and client can agree.
Those ciphers are not limited by anything in the server's certificate
or key.

> please dont waste my time and anyone elses with insults when you
> are unable to answer this simple question

I have answered it above. If you disagree with my answer, please be
specific.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDwNQYACgkQ9CaO5/Lv0PATEQCgo3LI5SbHiChoPJRgT1kKHDAO
ZyMAoJdz9eMl8xRXhvDEfIOfOITTbLHi
=f/P3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message