Peter Kreuser wrote >> >> Can you provide a clean configuration that exhibits this behavior? >> >> What are you using to test the effective configuration? > > Another question: are you sure that you hit the Connector that you > configure? Tomcat should be reasonably configured in defaults with a > current JDK... > > 8443 or the like are not scanned with ssllabs! So it may as well hit an > apache on the same machine! > > Can you show detail on what ssllabs is complaining about? > > Best regards > > Peter
Thank you Peter and Chris. I'm utilizing sslabs to check as well as just going to the site with Chrome and looking in developer tools to see the protocol that was selected. I understand that 8443 is not a normal port, I'm using ipchains to redirect traffic from 443 to 8443. I believe that traffic is specifically hitting this webserver, as changes such as adding SSL or removing TLS 1.0 in the configuration file take immediate effect after restarting the Tomcat service. My current SSLHostConfig looks like this: <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" honorCipherOrder="true" ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> <Certificate certificateKeystoreFile="...." certificateKeystorePassword="...." type="RSA" /> </SSLHostConfig> But ssllabs reports the following ciphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 None of these ciphers are included in my list, and changes to my cipher list has no effect at all on what is displayed by ssllabs. I'm stuck, so any ideas or guidance is appreciated, thank you! -Todd -- View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064952.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org