Mike Gardiner wrote:
Hello, I'm sure this is detailed somewhere but I can't find it for the life of
me and it's been driving me nuts all day.
How can I limit the cipher suites used by Tomcat for an SSL connection?
In Tomcat 5.5, like this:
ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
Empirically, you must use the long names from the various cipher suite specs,
not the perhaps more commonly encountered OpenSLL names, and if one of the
names in the list is incorrect or otherwise unrecognised, or if you use a TLS
v1.0 name when there is a SSL v3.0 for the same cipher, then the whole list is
silently ignored. The list above restricts Tomcat 5.5 to only those 128-bit
and above ciphers supported in JSSE.
To check which ciphers a public website accepts you can use a service at serversniff.de,
or download a desktop tool called SSLDigger from www.foundstone.com.
Paul Singleton
I tried setting SSLCipherSuite=SOME_CIPHER, to only allow a single cipher but
when a client connects it still uses whatever is the first cipher in the client's list
rather than using the cipher I specify in the server.xml file.
My complete connector tag is:
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false sslProtocol=SSLv3 keystoreType=luna
keyAlias=tomcat keystore=/.keystore
SSLCipherSuite=SSL_RSA_WITH_3DES_EDE_CBC_SHA/
Any help would be great
Mike
___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
