Hash: SHA256


On 10/6/17 6:34 PM, James H. H. Lampert wrote:
> On 10/6/17, 6:58 AM, Mark Thomas (Tomcat List) wrote:
>> It might help to think of it like this:
>> There are the ciphers that a JVM supports. The JVM only enables
>> sub-set of the supported ciphers are enabled by default. Tomcat
>> with a default configuration only uses a sub-set of the ciphers 
>> that the JVM enables by default. . . . It looks like you have an
>> incompatible set of ciphers configured.
>> As per Chris's previous email, it looks like RSA_AES_256_CBC_SHA
>> is the least worse option. The Java name for this is: 
> I should have tried this DAYS ago. There is also a Tomcat 7 server 
> installed on the Google Cloud server. With no apparent differences
> in the Java list of available and "enabled-by-default" ciphers
> between the two boxes, it's clear that the biggest single
> difference that I'm actually able to do anything about is which
> Tomcat server is running on 443.
> So with both Tomcat servers shut down, I switched Tomcat 7 over to
> port 443, brought it up, and tried connecting to it from the same
> program as before.
> This time, I got a 404. Not the least bit surprising, since the
> webapp context isn't actually installed on the Tomcat 7 server.
> Incidentally, I also tried running the ssllabs.com test on the
> Tomcat 7 server. The results weren't very meaningful: it only
> listed the ECDHE suites, but then again, it only listed the ECDHE
> suites when I tried it on one of our other Tomcat 7 servers.
>> Tomcat with a default configuration only uses a sub-set of the
>> ciphers that the JVM enables by default.
> So is there a way, short of downloading and recompiling Tomcat
> myself, to control what's in that default subset of a default
> subset?

Nope. You can't change the JVM (well, you CAN but it's not worth it)
and you can't change Tomcat's further-restricted list of cipher
suites. But it's got nearly everything you'd actually want in there,
and it's even got some stuff you might actually NOT want in there,
depending upon your level of paranoia.

> Or failing that, is there a way, in my connector tag, to specify
> "Use TLS_RSA_WITH_AES_256_CBC_SHA in addition to all the suites
> Tomcat 8.5 uses by default"?


> Or do I need to list all the Tomcat 8.5 defaults in a "ciphers"
> clause, along with the TLS_RSA_WITH_AES_256_CBC_SHA?

You need to list everything.

> Noting that my connector tag is written using Tomcat 7 connector
> syntax, is there a good example of how to code a ciphers clause for
> that tag?

Tomcat 8.5+ and 9.0+ can do it... but nobody has written a
command-line tool around that capability. (I could have sworn such a
tool existed already. I guess I'll write one.)

- -chris
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to