Eric,
On 2.3.2015 23:45, Eric wrote:
I am trying to change the ciphers that my Tomcat 7 server supports. I am
using the APR connector. Here's the connector information in server.xml
with the line saying which ciphers to support:
<Connector port="8443" executor="edgeExecutor" maxHttpHeaderSize="32768"
enableLookups="false" disableUploadTimeout="true"
connectionTimeout="3000"
socketBuffer="122880"
maxKeepAliveRequests="1"
scheme="https" secure="true"
SSLProtocol="TLSv1"
SSLEnabled="true"
SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt"
SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key"
SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" />
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"
...
apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of
Tomcat, could it be that an option was turned off that prevents changing
the SSL cipher? How would I check?)
ECDHE-RSA-AES128-GCM-SHA256 is TLSv1.2 protocol [1].
In order to utilze TLSv1.2, you need to:
1. Use tcnative 1.1.32 or later.
2. Use Tomcat that supports it (8.0.15+, 7.0.57+).
3. Set SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
4. Put SSLCipherSuite inside Connector tag (you put it outside).
-Ognjen
[1] https://www.openssl.org/docs/apps/ciphers.html#TLS-v1.2-cipher-suites
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
