I need to add some info to the tcnative docs concerning using a native
SSL connector and I'm quite uncertain where to add it. It will roughly be:
Starting with version 1.1.34 of the APR/native connector, the strength
of ephemeral keys for DH ciphers are by default chosen depending on the
key size used for the certificate. A 2048 bit certificate will result in
using a 2048 bit prime for DH. Unfortunately Java 6 only supports 768
bit and Java 7 only support 1024. So if your certificate has a stronger
key, the new behavior will lead to handshake failures with old Java
clients. In that case you can either try to force them to use another
cipher by configuring an appropriate SSLCipherSuite and activating
SSLHonorCipherOrder, or add weak DH params to your certificate file. The
latter is not recommended because it weakens the SSL security.
Any ideas where to put this?
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
