Yes, I had to install Java 11 On Thu, 24 Nov 2022, 00:42 Shawn Heisey, <apa...@elyograg.org> wrote:
> On 11/23/22 14:12, Edwin Mwangi wrote: > > I need help with the correct parameter for setting Ciphers in Apache > Tomcat > > 10.1.2, in the previous version 9 i would use the parameter below > > > > ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" > > > > However when I set the same in Apache Tomcat 10.1.2 I get the following > > error in the logfiles > > Did you also use a newer Java version with the new Tomcat version? > > I have just double-checked results on a Qualys Labs SSL test against a > webserver that allows those ciphers. Both of them are considered weak. > A newer Java version might choose to not allow those ciphers at all and > throw an error when they are attempted. The information below does not > involve Java or Tomcat, but hopefully will still be useful: > > > > Here is part of a report using testssl.sh against one of my webservers, > which gets an A+ security grade: > > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption > Bits Cipher Suite Name (IANA/RFC) > > ----------------------------------------------------------------------------------------------------------------------------- > SSLv2 > - > SSLv3 > - > TLSv1 > - > TLSv1.1 > - > TLSv1.2 (server order) > xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > TLSv1.3 (server order) > x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 521 ChaCha20 256 > TLS_CHACHA20_POLY1305_SHA256 > x1302 TLS_AES_256_GCM_SHA384 ECDH 521 AESGCM 256 > TLS_AES_256_GCM_SHA384 > > No ciphers using RSA at all, and each active TLS version only accepts > two ciphers. > > I am betting that Java is just refusing to use those ciphers because > they are known to be weak. Hopefully an expert can tell me if I am > giving incorrect information here. > > Thanks, > Shawn > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
