Thanks for the response, Chris.
Below are my answers in order.
To keep the response as short as possible, i have not included the ciphers
list in the connector -
a) Tomcat 7.0.79 (will be updating to 7.0.82)
b) JRE 1.80_144
c) Our connector configuration is below.
d) We are using NIO.
e) I am using a simple java client that makes TLS connection to our tomcat
on below port. I am capturing the SSL handshake.
The way i tested the client preference is: Lets take the same example i
gave in my first email i.e. clients preference is ABCDEF and the tomcat
servers preference is DEFABC with *useServerCipherSuitesOrder* set to true.
During the 1st handshake connection, "A" cipher suite was chosen. I removed
"A" from my tomcat connector, restarted the service, and did the connection
test again.
"B" was chosen during this 2nd handshake. Same test was continued and
observed that CDEF were chosen next in order.
I am expecting DEFABC as the order of preference as per the
*useServerCipherSuitesOrder* setting.
Let me know if i am missing anything or is my understanding is incorrect.
<Connector
id="orion.server.https"
acceptCount="100"
*useServerCipherSuitesOrder*="true"
ciphers="we have around 20 cipher suites listed..."
clientAuth="want"
compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json"
compression="on"
compressionMinSize="2048"
disableUploadTimeout="true"
enableLookups="false"
keystoreFile="keystore/xyz"
keystorePass=""
maxConnections="500"
maxHttpHeaderSize="8192"
maxKeepAliveRequests="500"
maxThreads="250"
minSpareThreads="25"
noCompressionUserAgents="gozilla, traviata"
port="8443"
processorCache="500"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
server="Undefined"
sessionCacheSize="400"
SSLEnabled="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.1, TLSv1.2"
truststoreFile="keystore/xyz"
truststorePass=""
truststoreType="jks"
URIEncoding="UTF-8" />
On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Harish,
>
> On 10/9/17 12:31 PM, Harish Krishnan wrote:
> > Need your expert input here. Not sure what I am doing wrong, but I
> > cannot get this server preference cipher suites feature working.
> >
> > My setup: Latest tomcat 7.x build (which supports
> > useServerCipherSuitesOrder attribute) Latest Java 1.8 build.
> >
> > No matter what value I set to this attribute (true OR false OR
> > undefined which is by default), I always see the Clients preference
> > picked. As an example, if clients order is ABCDEF, and servers
> > order is DEFABC, no matter what value I set to this
> > useServerCipherSuitesOrder attribute, always the order selected is
> > ABC...
>
> What exact version of Tomcat are you using?
> What exact version of Java are you using?
>
> Please post your <Connector> configuration, minus any secrets.
>
> Do you know if you are using the BIO, NIO, or APR connector?
>
> How are you determining client-preference?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C
> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK
> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p
> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s
> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If
> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0
> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR
> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O
> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R
> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG
> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg
> lPIZuxLUk5GBnA/vV8qtLIfK7cc=
> =SuWg
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
