Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 07F0D17C4F for ; Tue, 3 Mar 2015 16:20:51 +0000 (UTC) Received: (qmail 47901 invoked by uid 500); 3 Mar 2015 16:20:45 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 47834 invoked by uid 500); 3 Mar 2015 16:20:45 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 47823 invoked by uid 99); 3 Mar 2015 16:20:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 16:20:45 +0000 X-ASF-Spam-Status: No, hits=-1.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (athena.apache.org: transitioning domain of ognjen.d.blagojevic@gmail.com does not designate 147.91.1.120 as permitted sender) Received: from [147.91.1.120] (HELO afrodita.rcub.bg.ac.rs) (147.91.1.120) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Mar 2015 16:20:41 +0000 Received: from [IPv6:2001:4170:0:4::66] (unknown [IPv6:2001:4170:0:4::66]) by afrodita.rcub.bg.ac.rs (Postfix) with ESMTP id 97F21191ADC3 for ; Tue, 3 Mar 2015 17:19:16 +0100 (CET) Message-ID: <54F5DF04.7090206@gmail.com> Date: Tue, 03 Mar 2015 17:19:16 +0100 From: Ognjen Blagojevic User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Changing Tomcat's SSL ciphers References: In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-RCUB-MailScanner-Information: Please contact the ISP for more information X-RCUB-MailScanner-ID: 97F21191ADC3.AAC71 X-RCUB-MailScanner: Found to be clean X-RCUB-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6, required 6, autolearn=not spam, BAYES_00 -2.60, NO_RELAYS -0.00) X-Virus-Checked: Checked by ClamAV on apache.org Eric, On 2.3.2015 23:45, Eric wrote: > I am trying to change the ciphers that my Tomcat 7 server supports. I am > using the APR connector. Here's the connector information in server.xml > with the line saying which ciphers to support: > > enableLookups="false" disableUploadTimeout="true" > connectionTimeout="3000" > socketBuffer="122880" > maxKeepAliveRequests="1" > scheme="https" secure="true" > SSLProtocol="TLSv1" > SSLEnabled="true" > SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt" > SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key" > SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" /> > SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256" ... > apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of > Tomcat, could it be that an option was turned off that prevents changing > the SSL cipher? How would I check?) ECDHE-RSA-AES128-GCM-SHA256 is TLSv1.2 protocol [1]. In order to utilze TLSv1.2, you need to: 1. Use tcnative 1.1.32 or later. 2. Use Tomcat that supports it (8.0.15+, 7.0.57+). 3. Set SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" 4. Put SSLCipherSuite inside Connector tag (you put it outside). -Ognjen [1] https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org