The case made no difference. Still works.
Jason Jesso | Senior Systems Programmer Direct: (905)752-8238 Toll Free: 1(800)387-1245 | Ext. 238 Fax: (905)479-5421 Web Site: global-matrix.com Blog Site: travelagentmusings.com ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, April 16, 2015 8:45 AM To: Tomcat Users List Subject: Re: TLS Server Accepts RSA_EXPORT Cipher Suites (FREAK) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jason, On 4/16/15 7:48 AM, Jason Jesso wrote: > My goal was to disable the EXPORT ciphers and not be able to > connect with: > > openssl s_client -cipher EXPORT -connect localhost:443 < /dev/null > 2>/dev/null I think your goal was pretty clear. > I am using Java 6 and Tomcat 6 and we got it working with the > following config in the connector: > > > sslProtocols = "TLSv1, TLSv1.1,TLSv1.2" > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" So your problem was using SSLProtocol instead of sslProtocol. I'm a little concerned that Tomcat seemed to ignore your cipher list when the sslProtocol wasn't being specified. Can you confirm that if you change the "sslProtocol" back to "SSLProtocol" with no other changes, the problem comes back? If so, please log a bug in Bugzilla: the ciphers list should apply even if you are accepting the default protocol list. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVL67OAAoJEBzwKT+lPKRYQMkQAKla35I1A2xZ7AcxPmsGrr1W g/kv+iphARtQchAPs3BV7I9DtvqDcfb3v5PQe4WxOV8smWs7bWIf1naxyaXnBO97 UD7K2nkzG8baYtcUVMs5ne/DSRvkQiiWZr8x6iBWS5ECanzD3fnP1UMXz9P8UAJT VRZNevg/diRu3bU1U7YlwET8xVtN1iPnH4fyVf8M3/byIGFjLzTWhojCMv/u3+Qw hZw0Q6anh7YETMoF/ZEvLumnWSzDRRiCaufLHKgcGW2r0gP3S+bf1TuxyHBOB3xy +i0FDH355MRW90q2JsMBTiIs92fMYP3LnlxWOWGQtbai5vUQZxMpQKsFNYgAn5JI F7hVYbCc4HU1Yr7vD6krH5o5GDVIx63uT+V+fqQR30qluxFUbi7pWSpaaQ318bkd AqjnfMZIj62AAzI2pvG9Azsyy0UOPa/5Km5XGZDz6IEVRr+jwxTcnrYGwQBaiNhK 2icEDbnzLUI2FHjG6ScTUdiFWgcVWKb2pBLthU2s7eqiVR+TJ0/rwM7EG6HNm4Ad d9XQRWfCP3HJRtl1x+Osf1LOeX1oCQQpCojXdL63TKQtYeH49jeF9yNV8OIRmlF4 oeL9I0hGh6o9dFRX+dGAko2Gx5oMlh5amTvQcCBx1BSFv4wBH6gdmPUXd6hU7QYZ 7Hn8wPaYMUYnLPUCOQ7X =IxA9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
