thanks. I believe as a part of cipher negotiation the server (tomcat) should do this rather than the provider (JDK/SunJC)
On Tue, Dec 20, 2016 at 8:49 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > manjesh, > > On 12/20/16 6:19 AM, manjesh wrote: > > Below shown snippet is the ciphersuite configuration. Tomcat > > version 8.026 and JDK 1.8 > > > > > > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" scheme="https" secure="true" SSLEnabled="true" > > clientAuth="false" sslProtocol="TLSv1.2" EnabledProtocols="TLSv1.2" > > ke ystoreFile="work/keystore/keystore.jks" keystorePass="*****" > > keyAlias="selfsigned.tomcat" keystoreType="JKS" > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA > > _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_ > > SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_ > > AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ > > RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" > > useServerCipherSuitesOrder="true" server="APPSERVER" > > SSLDisableCompression="true" /> > > > > > > Tested with Nmap > > > > Check the server for the supported cipher suites. > > > > nmap -p 443 --script ssl-enum-ciphers.nse hostname > > > > The result shows server supports few ciphers with curves > > secp160k1,secp192k1, secp224k 1,secp256k1..etc > > > > configure Nmap to probe the server with only two curve sizes > > secp160k1,secp256k1 > > > > But this time server selects cipher supporting secp160k1 but > > not secp256k1 even though secp256k1 is mutually stronger one than > > secp160k1 > > > > How to enforce server to select the mutually existing higher curve > > size? > > I'm not sure Java allows you to select the specific curve you'd like > to use -- only the cipher suite, which doesn't specify a curve to use. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYWUvxAAoJEBzwKT+lPKRYyQEP/R3crsrDwQ5PRXEG2lRHXagV > u06qEQnPmI4lYFVj6Fcb+tbzyN255xGN2Sw8QyNJkW7u7kYK2cRbsEWYcufu0ucY > U4Xmrk5tmyIaEbXUbB4rtFOCK9axXyXSCOHcPak3McuYpVx8gpXDG3H51t/5MxCg > xyVw6AGOZB5fWKWOL9uH5RHFya72FiK9hVp+XTbN/SEKgGR2qYPGGDRzS7z5kyAV > CBrXj/WuscZlouUAJ6YIaFDY1PSlWcf2f6E0WWKpgYxP8bqE0Bwo01c1PPr1Slko > uudSbryNARccrPkGPQ7rFwyFyCLe1ENSPjzoofwUYMFZFdBVd6QphGnNXrl2ywIb > qYNBsaTBu0/fwGa1H/5M4w8OapTfVBMpyu/a9XNV4NOXBa5Q1ggIfom2JGYU3zpU > ubazsTF69Wqr1WuwYwfu2e5Z58DdUTPWhBdHgWUlFFy652Kw7gJNPUnEAFntJikh > WWgkLW2P8SWvilEfb5htyzYhuSJnPGFRInNwx9gSuJ+7gEmY3Ka3Zg4nXQO2P/xq > cjkHntQSb3eB5xiEeiDfJk9Vxb3nIUIxHskeUYyuiHK/rKlVNiabYEy1anxeTx0K > x5YHNN2dq86Gy2g4r9BQiXgg598punUybVmAc5fR75vw+5f7vYXLltEOI/AO3Wop > zHWLPJnMZyYfEyjWdcBh > =PRwc > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
