Todd wrote >> I'm experiencing the exact same issue with 8.5.14 - cipher list seems to >> be >> ignored, regardless of what I put in SSLAbs and validating via browser on >> my >> website a set of ciphers is used that I have not listed. >> >> I am able to change protocols (for instance, I can remove TLSv1 and the >> system correctly makes that change), but any changes to ciphers is >> completely ignored. I've tried adding just one cipher, I've tried >> OpenSSL >> and Standard cipher names, I've put in gibberish. All end in the exact >> same >> result, no errors in the log and a list of cipher suites that I did not >> get >> to pick.
Peter Kreuser wrote > From looking at your answer on nabble I see that your ciphers are not in > an xml attribute in the SSLHostConfig-Element, but in the body. > > Try > > <SSLHostConfig protocols="TLSv1.2+TLSv1+TLSv1.1" > honorCipherOrder="true" > ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_3DES_EDE_CBC_SHA, > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"> > > <Certificate certificateKeystoreFile="...." > certificateKeystorePassword="...." > type="RSA" /> > > </SSLHostConfig> > Best regards > > Peter Thank you Peter - I tried that previously, and just to double check tried it again. No difference at all. a set of ciphers is being presented that do not match to the cipher list that I've included at all. Any other ideas as to what could be overriding this list? As mentioned, some things when edited do take effect, like the protocol selection (I can remove TLS, add SSL, etc.), if I have a syntax error, the server won't start and will give an error, but nothing I put in ciphers seems to work. Thank you Todd -- View this message in context: http://tomcat.10.x6.nabble.com/8-5-11-8-5-14-using-SSLHostConfig-protocols-and-ciphers-list-ignored-tp5062900p5064728.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
