>>As can be seen from your usage of "keystoreType" attribute, you are >>using Java implementation of the Connector, not openssl/APR one. >> >>You should look into Java documentation for their cipher names. >> >>See this thread from October 2009: >>http://markmail.org/message/zn4namfhypyxum23 > > Ahh, that was it! It did not occur to me that OpenSSL and Java might > name the ciphers differently. If I restrict the ciphers to those > from the (differently named) set used by Java, it works as expected. > Mahalo! > > ciphers="SSL_RSA_WITH_RC4_128_MD5, > SSL_RSA_WITH_RC4_128_SHA, > TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, > TLS_ECDHE_RSA_WITH_RC4_128_SHA, > TLS_ECDH_ECDSA_WITH_RC4_128_SHA, > TLS_ECDH_RSA_WITH_RC4_128_SHA" >
The BIO connector in <= 7.0.35 silently reverts to the JVM default ciphers (and sslEnabledProtocols) if none of the specified options are supported by the SSL implemenation. I've changed this in 7.0.36+ [1] to not do this (I've had customers bitten by the same issue when running on AIX, since IBM change the prefix on all the cipher suites from TLS_ to SSL_). [1]: https://issues.apache.org/bugzilla/show_bug.cgi?id=54406 cheers tim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
