We're on Tomcat 8 with Java 8, so it has more options for ciphers, but this is what we use:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" connectionTimeout="20000" acceptorThreadCount="2" URIEncoding="UTF-8"
               maxThreads="100" scheme="https" secure="true"
compression="on" compressableMimeType="text/html,text/xml,text/plain,application/xml,application/json,application/javascript,application/pdf" keystoreFile="tomcatKeystoreFileName" keystorePass="PUT YOUR KEYSTORE PASSWORD HERE"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" />

As I understand it, we no longer can be connected by IE6 or even Java 6 clients because they won't have the ciphers required.

Hope that helps some even if a bit off the main question of using Tomcat 7 (though I see no advantage to using the older one unless there's some problem).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to