Re: 8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Fri, 23 Jun 2017 10:04:55 -0700 

Todd,


> Am 23.06.2017 um 18:53 schrieb Todd <min...@gmail.com 
> <mailto:min...@gmail.com>>:
> 
> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be
> ignored, regardless of what I put in SSLAbs and validating via browser on my
> website a set of ciphers is used that I have not listed.
> 
> I am able to change protocols (for instance, I can remove TLSv1 and the
> system correctly makes that change), but any changes to ciphers is
> completely ignored.  I've tried adding just one cipher, I've tried OpenSSL
> and Standard cipher names, I've put in gibberish.  All end in the exact same
> result, no errors in the log and a list of cipher suites that I did not get
> to pick.
> 
> I've also validated that the ciphers that I want to use are available to
> Java - using 1.8, (
> http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results
>  
> <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results>
> <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results>
>  
> )
> 
> Really appreciate help or direction that anyone can give!
> 
> Todd
> 
> My relevant config:
> 
> 
> 
> 
> --
> View this message in context: 
> http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


From looking at your answer on nabble I see that your ciphers are not in an xml 
attribute in the SSLHostConfig-Element, but in the body.

Try
        <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1"
            honorCipherOrder="true"
            ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384">
            <Certificate certificateKeystoreFile="...."
                certificateKeystorePassword="...."
                type="RSA" />
        </SSLHostConfig>
Best regards

Peter

Reply via email to