2015-05-24 15:34 GMT+02:00 Rainer Jung <rainer.j...@kippdata.de>: > I need to add some info to the tcnative docs concerning using a native SSL > connector and I'm quite uncertain where to add it. It will roughly be: > > Starting with version 1.1.34 of the APR/native connector, the strength of > ephemeral keys for DH ciphers are by default chosen depending on the key > size used for the certificate. A 2048 bit certificate will result in using > a 2048 bit prime for DH. Unfortunately Java 6 only supports 768 bit and > Java 7 only support 1024. So if your certificate has a stronger key, the > new behavior will lead to handshake failures with old Java clients. In that > case you can either try to force them to use another cipher by configuring > an appropriate SSLCipherSuite and activating SSLHonorCipherOrder, or add > weak DH params to your certificate file. The latter is not recommended > because it weakens the SSL security. > > Any ideas where to put this? > > http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html or http://tomcat.apache.org/tomcat-8.0-doc/config/http.html probably, right ? Ideally it should be elsewhere but I doubt anyone would ever find it.
Rémy
