-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sverre,
On 5/26/14, 5:42 AM, Sverre Moe wrote: >> Latest versions of Firefox and Chrome (and others I suspect) use >> GCM > ciphers (gmail seems to prefer them for example). Yes, but it only > supports AES_128_GCM_SHA256. No Chromium support for > AES_256_GCM_SHA384. Neither does it support SHA256/SHA384 for > AES_X_CBC. > >> You don’t have to accept the default ciphers, or ordering. Check >> the docs for the HTTP connector to see how to configure this. > > If one use the APR Connector with OpenSSL and sets > SSLHonorCipherOrder, but the JSSE Connector does not have such a > parameter. Right: JSSE doesn't support server-preferred cipher ordering, but the cipher order in Java 7 looks reasonable to me: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites Unfortunately, explicitly setting the server's preferred cipher order requires the use of Java 8: http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html (See the final bullet point on that page) There's a bug to support this in Bugzilla: https://issues.apache.org/bugzilla/show_bug.cgi?id=55988 Vote for the bug if you want it fixed. ;) > I realize I didn't specify that in my original post, but I need to > use JSSE since I am running SLES (which has an old version of > OpenSSL). How old? 0.9.8 is okay, but has fewer ciphers and does not support TLS 1.2. As a bonus, it never had heartbeat support ;) - -chris > 2014-05-26 11:25 GMT+02:00 Tim Whittington <t...@apache.org>: > >> >> On 26/05/2014, at 6:58 pm, Sverre Moe <sverre....@gmail.com> >> wrote: >> >>>> Documentation aside, none of these cipher-suites are >>>> supported in Oracle >>> Java 7. The AES_CBC ciphers I had there are supported in Java >>> 7. >>> >>> I have already concluded as much regarding the AES_x_GCM. Using >>> Java 8 >> one >>> have access to these higher GCM ciphers, but only very few >>> obscure >> browsers >>> supports them. Therefore neither AES_256_GCM nor SHA384 can be >>> used yet. >>> >> >> Latest versions of Firefox and Chrome (and others I suspect) use >> GCM ciphers (gmail seems to prefer them for example). >> >>> Also because of the the JSSE cipher ordering it will always >>> choose AES_x_CBC instead over AES_x_GCM if both are in the >>> Connector cipher >> list. >>> See table: Default Enabled Cipher Suites >>> >> http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider >>> >> Same ordering you get from getDefaultCipherSuites(); >>> >> >> You don’t have to accept the default ciphers, or ordering. Check >> the docs for the HTTP connector to see how to configure this. >> >> >> tim >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4dhAAoJEBzwKT+lPKRYuAkP/jyuUuAEMo1NMHwZaYytCSK1 i41hYRdPjY4bDoSK48cPWZLu+ZHm7FzPyrfUTx2t7lX2Fb7jxkQZ6ph94P/4Rh4T TmMPleeECVfWFCT0aIbuGfduX4DpXX2gwZrFopmScGyFpYBl8K6vfLGFafM8k1w5 Pp+cRBKlXoYRwoKboaWv+xbPpwcmTJrNkr/TcFu7b3r25uxGVaT5ASSKrUP8gTFU rCzMTpCJE6GFCLID4xd6pzFW7AB3Yy3hrzJHu7udPg2nP+e7qS+rEf9f3bwDQJet 2qNqJAoVopSGo/gNRua0RFx+NcQtW63X56kKszSrifK2M4ef8h5jw5ti/X000Zaf L21o4LtzhpmvvE1RNjE+T6yXHkiWLzUREp5s8LuYvw/4oarL88IHeadRgLsDFOYb k3tNsAdFRhiS0bSsPkjSaUdsn4jryohJK5ExBibIJcXwWFdW/fmi/6gcSPU4sBXZ ADBo5sqZrtlhS7uQRVdpbCT8d9SsaBaCSjap85f/ETTI0vXDqdIntjIciC8uOqXb upVZycrBuFSbGIKRqZug+7MtKLp37KtXBmoiW7tHNKw8Q+ABLM+DX/BuqJx9sa+N cQUNbZRl3DZnsThB1CY+xowIS0vZJss/Qyz880TrYa80/RgUCOcHrsrpo1EYl0Ws wISpL4l0AiMzr71iCcIA =DWt5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
