On 19/08/2025 12:17, S Abirami wrote:
<snip/>
> Questions:>
1. Is Tomcat 11 intentionally filtering out RSA key exchange cipher suites by
default? If so, where is this documented?
Yes.
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html
look for the "ciphers" attribute
2. What is the mechanism for this filtering? Is it hardcoded in the SSL
implementation or configurable?
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html
look for the "ciphers" attribute
3. Is there a system property or configuration option to disable Tomcat's
cipher filtering and use Java's default cipher suite selection?
No.
You could set the ciphers attribute to be the same as the Java default
(quite a long list) but there is no setting for "use whatever the Java
default is".
Expected Behaviour:
When no explicit cipher configuration is provided, I would expect Tomcat to use
the same cipher suites that are available to other Java applications using the
same JVM and security configuration.
The assumption that the security configuration is the same is flawed
because Tomcat has explicit defaults rather than simply using the JVM
defaults.
Tomcat has the defaults it has so that swapping between the JSSE and the
OpenSSL based TLS implementations has minimal impact on behaviour.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
