Hi, I'm configuring my Tomcat server so that it uses a "strong" cipher for SSL. From the docs in both Tomcat 4.1 and 5.0, the "ciphers" attribute for the "connector" element in server.xml accepts "A comma seperated [sic] list of the encryption ciphers that may be used. If not specified, then any available cipher may be used."
My questions are: 1. When the "ciphers" attribute is not specified, how does Tomcat choose the cipher to use from the "any available cipher[s]"? 2. Why doesn't Tomcat choose the strongest available ciphers from what's made available to the Java runtime? For question #2, I'm guessing (being not as knowledgeable in this area as I'd like to be) it's because a "strong" cipher is only as strong as a user perceives it to be, and therefore what is strongest for one user may not be strongest for another. Also, the ciphers that are available to choose from is dependent on the Java runtime version, the runtime vendor (e.g., IBM JRE may have different ciphers from Sun JRE) as well as the cryptography service providers that are made available via the JRE's java.security file. Is this correct? Thanks in advance! --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
