On 11/23/22 14:12, Edwin Mwangi wrote:
I need help with the correct parameter for setting Ciphers in Apache Tomcat
10.1.2, in the previous version 9 i would use the parameter below
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
However when I set the same in Apache Tomcat 10.1.2 I get the following
error in the logfiles
Did you also use a newer Java version with the new Tomcat version?
I have just double-checked results on a Qualys Labs SSL test against a
webserver that allows those ciphers. Both of them are considered weak.
A newer Java version might choose to not allow those ciphers at all and
throw an error when they are attempted. The information below does not
involve Java or Tomcat, but hopefully will still be useful:
Here is part of a report using testssl.sh against one of my webservers,
which gets an A+ security grade:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption
Bits Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2
-
SSLv3
-
TLSv1
-
TLSv1.1
-
TLSv1.2 (server order)
xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSv1.3 (server order)
x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 521 ChaCha20 256
TLS_CHACHA20_POLY1305_SHA256
x1302 TLS_AES_256_GCM_SHA384 ECDH 521 AESGCM 256
TLS_AES_256_GCM_SHA384
No ciphers using RSA at all, and each active TLS version only accepts
two ciphers.
I am betting that Java is just refusing to use those ciphers because
they are known to be weak. Hopefully an expert can tell me if I am
giving incorrect information here.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
