tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Obsolete cypher suit
Date Wed, 13 Apr 2016 11:50:11 GMT
On 13/04/2016 12:43, Lyallex wrote:
> On 12 April 2016 at 19:26, Mark Thomas <markt@apache.org> wrote:
>> On 12/04/2016 19:11, Lyallex wrote:
>>> On 12 April 2016 at 18:06, Lyallex <lyallex@gmail.com> wrote:
>>>> apache-tomcat-7.0.42 as standalone web server
>>>> jdk1.7.0_45
>>>> Ubuntu 12.10
>>>>
>>>> Greetings
>>>>
>>>> I'm sure this is an old chestnut but it's got me stumped
>>>>
>>>> I just purchased and installed my first ever ssl certificate
>>>> I had it installed and apparently running in no time. I should of
>>>> course have been suspicious that it all went so smoothly
>>>> but I though it was about time I got a break ... no such luck.
>>>>
>>>> Clicking the padlock in chrome I get
>>>>
>>>> Your connection to 192.168.1.68 is encrypted using an obsolete cipher suit.
>>>>
>>>> The connection uses TLS 1.2.
>>>>
>>>> The connection is encrypted using AES_128_CBC with HMAC-SHA1 for
>>>> message authentication and ECDHE_RSA as the key exchange mechanism.
>>>
>>> jdk1.8.0.77 fixed it
>>>
>>> Should have know it was a Java (as opposed to Tomcat) problem
>>>
>>> as you were
>>
>> As of the next Tomcat 7 release, the SSL defaults have been improved so
>> a default configuration should not report any issues.
>>
>> Mark
> 
> Now I'm confused, I thought Tomcat relied on the JSSE implementation
> in whatever version of Java that was used to start Tomcat
> to provide it's cipher suits. If this is correct how will a different
> version of Tomcat make a difference given that it's started with the
> same version of Java. If it's incorrect please forgive my boundlesss
> ignorance and stupidity.

Happy to clarify.

Tomcat is able to select which TLS versions and cipher suites are
enabled by default. The latest Tomcat version enables fewer cipher
suites by default (some less secure ones are removed) so the default
configuration is better.

Users remain free to explicitly configure any cipher suite they wish
from those supported by the JSSE implementation provided by the JRE.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message