On 27/04/17 19:49, Dan Morrison wrote:
<snip/>
> I'm still confused by JSSE vs OpenSSL. From all that I can figure I
> think I'm setup for JSSE Ciphers ? (not counting the above test)
The are two parts. Config style and implementation.
As much as we can, we have tried to make all combinations work so it is
easy to switch from one to the other.
To find out what is being used, look at the start logs. For example:
...Starting ProtocolHandler ["https-jsse-nio-8443"]
https = TLS is enabled
jsse = The JSSE TLS implementation is being used
(it would be openssl if the OpenSSL implementation was used)
nio = The pure Java NIO connector is being used
8443 = The connector is listening on port 8443
And the associated configuration is:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
so I am using JSSE style config because certificateKeystoreFile is JSSE
only.
Ciphers can be specified as:
- comma separated JSSE names
- comma separated OpenSSL names
- standard OpenSSL syntax
Internally it is always stored in OpenSSL format.
If I add your cipher list to the SSLHostConfig element above and test
with SSLLabs I see the following ciphers for TLS 1.2
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA *
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The cipher marked with * is also available for TLS 1.1 and 1.0
Which is what I'd expect to see given I'm using an RSA cert.
If I then add
protocols="TLSv1.1+TLSv1.2"
the TLS 1.0 section for supported protocols disappears. Again as expected.
As far as I can tell, everything is working as expected.
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
