tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Whittington <>
Subject Re: Restricting ciphers
Date Sun, 13 Jan 2013 23:07:40 GMT
>>As can be seen from your usage of "keystoreType" attribute, you are
>>using Java implementation of the Connector,  not openssl/APR one.
>>You should look into Java documentation for their cipher names.
>>See this thread from October 2009:
> Ahh, that was it! It did not occur to me that OpenSSL and Java might
> name the ciphers differently.  If I restrict the ciphers to those
> from the (differently named) set used by Java, it works as expected.
> Mahalo!
>   ciphers="SSL_RSA_WITH_RC4_128_MD5,
>            SSL_RSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>            TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDH_RSA_WITH_RC4_128_SHA"

The BIO connector in <= 7.0.35 silently reverts to the JVM default
ciphers (and sslEnabledProtocols) if none of the specified options are
supported by the SSL implemenation.
I've changed this in 7.0.36+ [1] to not do this (I've had customers
bitten by the same issue when running on AIX, since IBM change the
prefix on all the cipher suites from TLS_ to SSL_).



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message