Robert, On 6/2/15 10:40 AM, Robert Paasche wrote: > Hi, > > I'm using tcnativ with: > SSLCipherSuite="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP" > > To generate a List of ciphers for your usecase simply do: > openssl ciphers -v > 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:+3DES:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!RC4:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'
The OP is quite clearly using JSSE for TLS, so your suggested SSLCipherSuite is not relevant for him. But! If the OP is using Tomcat 8, he can use OpenSSL-style cipher selection (see http://tomcat.apache.org/tomcat-8.0-doc/config/http.html, configuration attribute "ciphers"). Note that you will have to use the "ciphers" configuration attribute and *not* "SSLCipherSuite", which is only applicable for the OpenSSL-based native ("APR") connector. I would recommend using OpenSSL-style cipher selection criteria, because you can use rule-out style semantics like "!RC4" meaning "don't allow any ciphers which use RC4". JSSE usually requires that you specify a whitelist which is quite tedious to maintain. -chris
signature.asc
Description: OpenPGP digital signature
