On Tue, Feb 19, 2013 at 10:59 AM, Giuseppe Sacco <giuse...@eppesuigoccas.homedns.org> wrote: [...]
> I listed all providers here: > http://centrum.lixper.it/~giuseppe/ipad-tomcat-list-ciphers-no-bouncycastle.html > as you may see, a few of them are TLS_RSA and TLS_DHE: > * TLS_RSA_WITH_AES_128_CBC_SHA > * TLS_RSA_WITH_AES_256_CBC_SHA > * TLS_DHE_DSS_WITH_AES_128_CBC_SHA > * TLS_DHE_DSS_WITH_AES_256_CBC_SHA > * TLS_DHE_RSA_WITH_AES_128_CBC_SHA > * TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > They are also listed as "default" ciphers, so -- if I understood what > default means -- they should not be enabled explicitly. > > They overlap with those client ciphers: > TLS_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_CBC_SHA > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > Is there any possibility that some of those server ciphers are disabled > because of the algorithm used in the server certificate? Its signature > algorithm is SHA1withDSA. I created it with this command line: > keytool -genkeypair -alias tomcat -keystore ~tomcat6/.keystore Yes. If the server keys are DSA, then only cipher suites using DSS/*DSA will be negotiated. In this case, the only DSS cipher suite that your client appears to support is TLS_DHE_DSS_WITH_NULL_SHA, which isn't supported by Java 6 or 7. > A side note: is it possibile to put tomcat behind a web server and make > the latter encrypt in SSL? This would imply that communication between > the web server and tomcat would be in clear, but how do I create the > connector proxy* information? I may specify proxyName and proxyPort, but > I cannot specify proxyProtocol. Is this right? > tim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
