> Latest versions of Firefox and Chrome (and others I suspect) use GCM ciphers (gmail seems to prefer them for example). Yes, but it only supports AES_128_GCM_SHA256. No Chromium support for AES_256_GCM_SHA384. Neither does it support SHA256/SHA384 for AES_X_CBC.
> You don’t have to accept the default ciphers, or ordering. > Check the docs for the HTTP connector to see how to configure this. If one use the APR Connector with OpenSSL and sets SSLHonorCipherOrder, but the JSSE Connector does not have such a parameter. I realize I didn't specify that in my original post, but I need to use JSSE since I am running SLES (which has an old version of OpenSSL). 2014-05-26 11:25 GMT+02:00 Tim Whittington <t...@apache.org>: > > On 26/05/2014, at 6:58 pm, Sverre Moe <sverre....@gmail.com> wrote: > > >> Documentation aside, none of these cipher-suites are supported in Oracle > > Java 7. > > The AES_CBC ciphers I had there are supported in Java 7. > > > > I have already concluded as much regarding the AES_x_GCM. Using Java 8 > one > > have access to these higher GCM ciphers, but only very few obscure > browsers > > supports them. Therefore neither AES_256_GCM nor SHA384 can be used yet. > > > > Latest versions of Firefox and Chrome (and others I suspect) use GCM > ciphers (gmail seems to prefer them for example). > > > Also because of the the JSSE cipher ordering it will always choose > > AES_x_CBC instead over AES_x_GCM if both are in the Connector cipher > list. > > See table: Default Enabled Cipher Suites > > > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > > Same ordering you get from getDefaultCipherSuites(); > > > > You don’t have to accept the default ciphers, or ordering. > Check the docs for the HTTP connector to see how to configure this. > > > tim > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
