We're on Tomcat 8 with Java 8, so it has more options for ciphers, but
this is what we use:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
connectionTimeout="20000" acceptorThreadCount="2"
URIEncoding="UTF-8"
maxThreads="100" scheme="https" secure="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,application/xml,application/json,application/javascript,application/pdf"
keystoreFile="tomcatKeystoreFileName" keystorePass="PUT
YOUR KEYSTORE PASSWORD HERE"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1,
TLSv1.2" />
As I understand it, we no longer can be connected by IE6 or even Java 6
clients because they won't have the ciphers required.
Hope that helps some even if a bit off the main question of using Tomcat
7 (though I see no advantage to using the older one unless there's some
problem).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org