Harri,
On 10/29/25 6:25 AM, Harri Pesonen wrote:
08:47:44.257 WRN> (main) (org.apache.tomcat.util.net.SSLUtilBase#getEnabled)
Tomcat interprets the [ciphers] attribute in a manner consistent with the latest
OpenSSL development branch. Some of the specified [ciphers] are not supported by
the configured SSL engine for this connector (which may use JSSE or an older
OpenSSL version) and have been skipped: [[TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256]]
Configuration is:
ciphers="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256"/>
Should we just drop these or replace them with something else:
This is largely a matter of taste -- in general -- but for your
environment it looks like they will not be used no matter what. So, in
your case, removing these will remove the warning and not otherwise
change the behavior.
I am interested in the underlying TLS engine you are using. I don't know
of any engines which have removed support from those cipher suites.
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
None of the above cipher suites feature "forward security" which is one
reason why they are potential candidates for removal from your set of
supported ciphers.
The CBC-based cipher suites have a bit of an issue, but with these
cipher suites enabled (note the use of ECDHE and not ECDH):
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Qualys's SSL labs is still willing to give your site an A+ rating. So
take that for what you will. Also, for what it's worth, all of the
following companies still allow CBC-based cipher suites on their sites:
- Facebook
- Google
- Microsoft
- Qualys
So take that for what you will, too.
It looks like you are already (successfully) supporting the ECDHE
versions of these cipher suites. So if I were you, I think I'd just
remove them from my configuration if I were you.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
