Geek Answers Handbook

Enabling Strong Ciphers in Tomcat 5

I am trying to clarify the cipher suite that my webapp allows.

In Tomcat server.xml I have the following connector installed:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="3000" minSpareThreads="250" maxSpareThreads="500" enableLookups="false" disableUploadTimeout="true" acceptCount="1000" connectionTimeout="40000" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, ADH-AES256-SHA, AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA" keystoreFile="REDACTED" keystorePass="REDACTED" />

The server starts just fine. Everything works. However, when I run sslscan on the server, the 256-bit ciphers show that they are not supported.

 (Abbreviated, sorted output) Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Rejected SSLv3 256 bits ADH-AES256-SHA Rejected SSLv3 256 bits AES256-SHA Rejected SSLv3 256 bits DHE-DSS-AES256-SHA Rejected SSLv3 256 bits DHE-RSA-AES256-SHA Rejected TLSv1 256 bits ADH-AES256-SHA Rejected TLSv1 256 bits AES256-SHA Rejected TLSv1 256 bits DHE-DSS-AES256-SHA Rejected TLSv1 256 bits DHE-RSA-AES256-SHA

In addition, the scan shows that the preferred server ciphers are: โ€œSSLv3 128 bit DHE-RSA-AES128-SHAโ€ and โ€œTLSv1 128 bit DHE-RSA-AES128-SHAโ€. I am fine if Tomcat prefers to work with 128-bit ciphers, but I would like to serve any strong clients that occur.

What did I miss?

+4
source share
1 answer

It looks like you are using sslscan names that JSSE does not understand. Here are the ciphers supported by Sun JSSE,

 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA
+4
source

More articles:


All Articles