Harish,
> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <harish....@gmail.com>: > > Thanks for the response, Chris. > > Below are my answers in order. > To keep the response as short as possible, i have not included the ciphers > list in the connector - > > a) Tomcat 7.0.79 (will be updating to 7.0.82) > b) JRE 1.80_144 > c) Our connector configuration is below. > d) We are using NIO. > e) I am using a simple java client that makes TLS connection to our tomcat > on below port. I am capturing the SSL handshake. > The way i tested the client preference is: Lets take the same example i > gave in my first email i.e. clients preference is ABCDEF and the tomcat > servers preference is DEFABC with *useServerCipherSuitesOrder* set to true. > During the 1st handshake connection, "A" cipher suite was chosen. I removed > "A" from my tomcat connector, restarted the service, and did the connection > test again. > "B" was chosen during this 2nd handshake. Same test was continued and > observed that CDEF were chosen next in order. > I am expecting DEFABC as the order of preference as per the > *useServerCipherSuitesOrder* setting. > I believe that there is a misunderstanding. Your simple client does not seem to handle the situation correctly (even not at all). I think if you request cipher B you will get B. Please check with a ssl-tool like sslyze or testssl.sh. If your site is available on the internet, you could try ssllabs.com. The settings seem to be OK, unless I do not see an incorrect formatting on my phone. HTH, Peter > Let me know if i am missing anything or is my understanding is incorrect. > > <Connector > id="orion.server.https" > acceptCount="100" > *useServerCipherSuitesOrder*="true" > ciphers="we have around 20 cipher suites listed..." > clientAuth="want" > > compressableMimeType="text/html,text/xml,text/css,text/javascript,text/json,application/x-javascript,application/javascript,application/json" > compression="on" > compressionMinSize="2048" > disableUploadTimeout="true" > enableLookups="false" > keystoreFile="keystore/xyz" > keystorePass="" > maxConnections="500" > maxHttpHeaderSize="8192" > maxKeepAliveRequests="500" > maxThreads="250" > minSpareThreads="25" > noCompressionUserAgents="gozilla, traviata" > port="8443" > processorCache="500" > protocol="org.apache.coyote.http11.Http11NioProtocol" > scheme="https" > secure="true" > server="Undefined" > sessionCacheSize="400" > SSLEnabled="true" > sslProtocol="TLS" > sslEnabledProtocols="TLSv1.1, TLSv1.2" > truststoreFile="keystore/xyz" > truststorePass="" > truststoreType="jks" > URIEncoding="UTF-8" /> > > > On Mon, Oct 9, 2017 at 2:06 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Harish, >> >>> On 10/9/17 12:31 PM, Harish Krishnan wrote: >>> Need your expert input here. Not sure what I am doing wrong, but I >>> cannot get this server preference cipher suites feature working. >>> >>> My setup: Latest tomcat 7.x build (which supports >>> useServerCipherSuitesOrder attribute) Latest Java 1.8 build. >>> >>> No matter what value I set to this attribute (true OR false OR >>> undefined which is by default), I always see the Clients preference >>> picked. As an example, if clients order is ABCDEF, and servers >>> order is DEFABC, no matter what value I set to this >>> useServerCipherSuitesOrder attribute, always the order selected is >>> ABC... >> >> What exact version of Tomcat are you using? >> What exact version of Java are you using? >> >> Please post your <Connector> configuration, minus any secrets. >> >> Do you know if you are using the BIO, NIO, or APR connector? >> >> How are you determining client-preference? >> >> - -chris >> -----BEGIN PGP SIGNATURE----- >> Comment: GPGTools - http://gpgtools.org >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnb5M4dHGNocmlzQGNo >> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh+zxAAy11WLuuRfIQBdP/C >> qt+eW8qFulTBX1eYGfNdCcTBnTRRTqpI1GVIT//XKkcqwLmh/0jwQSK1kRfkkHhK >> j1V4djhQwoVtpNxP38WxsSr9yMczZNKK7OzTIEULeQqJJJTIUfGj00ayHIW/gp1p >> MdqFw8CCwk4Xuwpz8PYeXgYPPq7EFvyU6ABs70rrJ7ZT0yRiJHQ/fmNdHekUa63s >> n4+TB6BFzKIc11atGdpoHh4EXfaLMxeFWD6FVSH17FTQVqYxdDFQm32XcRgPP6If >> xYPQpbN8Yb5dl2jhU1u9hvgGnDUccVCKooeEZ/fsu7whztNlR6bDl2lWVJkyO+m0 >> RJhCNI051iEf6+pbqlj2TaqeWjlxMFozLS8gwhO5usf/ZvrhYFkOanF2KRxkKaaR >> /xwOvuSot06w+BVicbS0jbPiaEOux140ZUuPIxgi462mVIncYsW/oZvsbhrCoA7O >> GHAsqCD+8m3z/Oohi09Mi+pPebYAFuTHSERkK4s7rOHUinxzr1utx87s4g5m995R >> qU97BpOc33+ouOS5cKx4t+xrGaZr5LfNb8lXEZluNSDmU7Lnb7qA/yrr6prXbniG >> 5wv2zVlFit/8rKQInCEH0c/c2cD15RaU6iBujhfRpWYl1XWmOkWYQCzZ2xlLy/Hg >> lPIZuxLUk5GBnA/vV8qtLIfK7cc= >> =SuWg >> -----END PGP SIGNATURE----- >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org