Also, Baron, about the URL you're testing on your site via by SSLLabs: is that really one being served by Tomcat's web server? That's whose connector you're showing here.
If instead you are fronting/proxying Tomcat with Apache or IIS, then my understanding is that the SSL support is handled by that web server, not Tomcat (and the connector handling that would be one with a protocol="AJP/1.3" or the like), and you'd then be wanting to really resolve the poor grades via configuration of those instead. I am open to being corrected by you or others here, of course. /charlie >> On 5/10/18 2:45 PM, Baron Fujimoto wrote: >>> I'm trying to improve our grade on SSL Labs SSL server test[1] for >>> our Tomcat configuraton. Currently, their report caps our grade at B >>> because, "This server does not support Authenticated encryption >>> (AEAD) cipher suites". They report that we support the following cipher >>> suites: >>> <snip> >>> >>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" >>> address="0.0.0.0" >>> port="8443" >>> maxThreads="500" >>> maxPostSize="100000" >>> scheme="https" secure="true" >>> defaultSSLHostConfigName="foo.example.edu" >>> SSLEnabled="true" > >>> <SSLHostConfig hostName="foo.example.edu" <snip> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
