Re: Configuring Cipher Suites with Tomcat 6

Wed, 16 May 2007 16:52:38 -0700 

Mike Gardiner wrote:



Hello, I'm sure this is detailed somewhere but I can't find it for the life of 
me and it's been driving me nuts all day.

How can I limit the cipher suites used by Tomcat for an SSL connection?


In Tomcat 5.5, like this:
                  
ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

Empirically, you must use the long names from the various cipher suite specs, 
not the perhaps more commonly encountered OpenSLL names, and if one of the 
names in the list is incorrect or otherwise unrecognised, or if you use a TLS 
v1.0 name when there is a SSL v3.0 for the same cipher, then the whole list is 
silently ignored.  The list above restricts Tomcat 5.5 to only those 128-bit 
and above ciphers supported in JSSE.

To check which ciphers a public website accepts you can use a service at serversniff.de, 
or download a desktop tool called "SSLDigger" from www.foundstone.com.

Paul Singleton


I tried setting SSLCipherSuite="SOME_CIPHER", to only allow a single cipher but 
when a client connects it still uses whatever is the first cipher in the client's list 
rather than using the cipher I specify in the server.xml file.

My complete connector tag is:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSLv3" keystoreType="luna"
keyAlias="tomcat" keystore="/.keystore"
SSLCipherSuite="SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

Any help would be great

Mike


_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to