tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: Changing Tomcat's SSL ciphers
Date Tue, 03 Mar 2015 16:19:16 GMT
Eric,

On 2.3.2015 23:45, Eric wrote:
> I am trying to change the ciphers that my Tomcat 7 server supports. I am
> using the APR connector. Here's the connector information in server.xml
> with the line saying which ciphers to support:
>
>      <Connector port="8443" executor="edgeExecutor" maxHttpHeaderSize="32768"
>                 enableLookups="false" disableUploadTimeout="true"
>                 connectionTimeout="3000"
>                 socketBuffer="122880"
>                 maxKeepAliveRequests="1"
>                 scheme="https" secure="true"
>                 SSLProtocol="TLSv1"
>                 SSLEnabled="true"
>                 SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt"
>                 SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key"
>                 SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" />
>                 SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"
...
>     apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of
> Tomcat, could it be that an option was turned off that prevents changing
> the SSL cipher? How would I check?)


ECDHE-RSA-AES128-GCM-SHA256 is TLSv1.2 protocol [1].

In order to utilze TLSv1.2, you need to:

1. Use tcnative 1.1.32 or later.
2. Use Tomcat that supports it (8.0.15+, 7.0.57+).
3. Set SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
4. Put SSLCipherSuite inside Connector tag (you put it outside).

-Ognjen

[1] https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message