tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Whittington <t...@apache.org>
Subject Re: Restricting ciphers
Date Sun, 13 Jan 2013 23:07:40 GMT
>>As can be seen from your usage of "keystoreType" attribute, you are
>>using Java implementation of the Connector,  not openssl/APR one.
>>
>>You should look into Java documentation for their cipher names.
>>
>>See this thread from October 2009:
>>http://markmail.org/message/zn4namfhypyxum23
>
> Ahh, that was it! It did not occur to me that OpenSSL and Java might
> name the ciphers differently.  If I restrict the ciphers to those
> from the (differently named) set used by Java, it works as expected.
> Mahalo!
>
>   ciphers="SSL_RSA_WITH_RC4_128_MD5,
>            SSL_RSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDHE_RSA_WITH_RC4_128_SHA,
>            TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
>            TLS_ECDH_RSA_WITH_RC4_128_SHA"
>

The BIO connector in <= 7.0.35 silently reverts to the JVM default
ciphers (and sslEnabledProtocols) if none of the specified options are
supported by the SSL implemenation.
I've changed this in 7.0.36+ [1] to not do this (I've had customers
bitten by the same issue when running on AIX, since IBM change the
prefix on all the cipher suites from TLS_ to SSL_).

[1]: https://issues.apache.org/bugzilla/show_bug.cgi?id=54406

cheers
tim

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message