Todd,
> Am 23.06.2017 um 18:53 schrieb Todd <min...@gmail.com > <mailto:min...@gmail.com>>: > > I'm experiencing the exact same issue with 8.5.14 - cipher list seems to be > ignored, regardless of what I put in SSLAbs and validating via browser on my > website a set of ciphers is used that I have not listed. > > I am able to change protocols (for instance, I can remove TLSv1 and the > system correctly makes that change), but any changes to ciphers is > completely ignored. I've tried adding just one cipher, I've tried OpenSSL > and Standard cipher names, I've put in gibberish. All end in the exact same > result, no errors in the log and a list of cipher suites that I did not get > to pick. > > I've also validated that the ciphers that I want to use are available to > Java - using 1.8, ( > http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results > > <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results> > <http://markmail.org/message/zn4namfhypyxum23#query:+page:1+mid:zn4namfhypyxum23+state:results> > > ) > > Really appreciate help or direction that anyone can give! > > Todd > > My relevant config: > > > > > -- > View this message in context: > http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064726.html > Sent from the Tomcat - User mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > From looking at your answer on nabble I see that your ciphers are not in an xml attribute in the SSLHostConfig-Element, but in the body. Try <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> <Certificate certificateKeystoreFile="...." certificateKeystorePassword="...." type="RSA" /> </SSLHostConfig> Best regards Peter