-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 manjesh,
On 12/20/16 6:19 AM, manjesh wrote: > Below shown snippet is the ciphersuite configuration. Tomcat > version 8.026 and JDK 1.8 > > > <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" scheme="https" secure="true" SSLEnabled="true" > clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" > ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****" > keyAlias="selfsigned.tomcat" keystoreType="JKS" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA > _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ > SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ > AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ > RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" > useServerCipherSuitesOrder="true" server="APPSERVER" > SSLDisableCompression="true" /> > > > Tested with Nmap > > Check the server for the supported cipher suites. > > nmap -p 443 --script ssl-enum-ciphers.nse hostname > > The result shows server supports few ciphers with curves > secp160k1,secp192k1, secp224k 1,secp256k1..etc > > configure Nmap to probe the server with only two curve sizes > secp160k1,secp256k1 > > But this time server selects cipher supporting secp160k1 but > not secp256k1 even though secp256k1 is mutually stronger one than > secp160k1 > > How to enforce server to select the mutually existing higher curve > size? I'm not sure Java allows you to select the specific curve you'd like to use -- only the cipher suite, which doesn't specify a curve to use. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop zHWLPJnMZyYfEyjWdcBh =PRwc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
