Tomcat 11 and JDK 17 application ciphers difference

Tue, 19 Aug 2025 04:29:11 -0700 

Hi All,


Please find the requested details...
Environment:
* Tomcat 11.x
* Java 17
* Linux environment
* No explicit cipher configuration in server.xml

Issue Description:

We are observing inconsistent cipher suite availability between Tomcat 11 and 
other Java applications running on the same system with the same Java 
installation. Both applications use identical Java security
settings, but Tomcat appears to be filtering out RSA key exchange cipher suites.

Configuration:
Server.xml

<Connector protocol="com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp" 
port="2309" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" 
sslProtocol="TLSv1.2+TLSv1.3" maxHttpHeaderSize="8192" server="oamServer" 
xpoweredBy="false" allowTrace="false" connectionTimeout="60000" 
address="10.61.216.73">

Observed Behaviour:
# nmap --script ssl-enum-ciphers -p xxxx <hostname>
Tomcat (Port xxxx) - Only ECDHE ciphers available:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

# nmap --script ssl-enum-ciphers -p xxxx <hostname>

Other Java Application (Port xxxx) - Both ECDHE and RSA ciphers:
[Same ECDHE ciphers as above, PLUS:]
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Questions:

1. Is Tomcat 11 intentionally filtering out RSA key exchange cipher suites by 
default? If so, where is this documented?

2. What is the mechanism for this filtering? Is it hardcoded in the SSL 
implementation or configurable?

3. Is there a system property or configuration option to disable Tomcat's 
cipher filtering and use Java's default cipher suite selection?

Expected Behaviour:
When no explicit cipher configuration is provided, I would expect Tomcat to use 
the same cipher suites that are available to other Java applications using the 
same JVM and security configuration.

Thank you for your assistance.

Regards,
Abirami.S

Reply via email to