On 21/05/2014 8:22 PM, "Sverre Moe" <sverre....@gmail.com> wrote: > > I installed Tomcat-7 7.0.42 in OpenSUSE 13.1, configured support for > TLSv1.2. I then configured a list of strong ciphers only, that I wanted to > use. > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" > clientAuth="false" SSLEnabled="true" scheme="https" secure="true" > sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" keyAlias="tomcat" > keystoreFile="/usr/share/tomcat/.keystore" keystorePass="**********" > keystoreType="JKS" > ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256" > /> > > I have tried running Tomcat with Java 7 and Java 8. Both of these should > support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384. > I have downloaded the Java cryptographic extensions policy files for both > Java 7 and Java 8. > > The only way I get a connection is when I add the following ciphers: > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > > According to the specification all these ciphers are correct names: > http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites > > According to the implementation in JSSE provider they are implemented as > well to work with TLSv1.2 > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > Footnote 1(Java7) Cipher suites with SHA384 and SHA256 are available only > for TLS 1.2 or later. > > > Also how come SSLLabs SSLTest tells me I do not have forward secrecy and > are using RC4 ciphers. Thought when I set a limited list of ciphers only > those can be used. > > I tried to edit /usr/sbin/tomcat-sysd (which is started by service tomcat) > to enable SSL debugging, but nothing shows up in the log files
Have you tried starting tomcat with -Djavax.net.debug=ssl option? You can also narrow it down like -Djavax.net.debug=ssl:handshake for example. In case you would really like to have those ciphers in is the apr connector an option for you?