You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Apache Wiki <wi...@apache.org> on 2013/01/10 08:34:15 UTC

[Tomcat Wiki] Update of "HowTo/SSLCiphers" by KonstantinKolinko

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "HowTo/SSLCiphers" page has been changed by KonstantinKolinko:
http://wiki.apache.org/tomcat/HowTo/SSLCiphers

Comment:
New FAQ page - how configure the list of ciphers on a Connector

New page:
= How do I restrict the list of SSL ciphers used by Connector =

Firstly, the configuration attribute and its values depend on what HTTPS implementation you are using. You may be using either Java-based implementation aka JSSE &mdash; with BIO and NIO connectors, or OpenSSL-based implementation &mdash; with APR connector.

'''Links:'''

 * [[http://tomcat.apache.org/tomcat-7.0-doc/config/http.html|HTTP Connector configuration reference (Tomcat 7)]]

== Using Java implementation ==

For BIO and NIO connectors the attribute that specifies the list of ciphers is called '''ciphers''' and multiple values are separated by a comma (`,`). For the list of possible values see the list of cipher suite names for your version of Java, e.g.

 * [[http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames|Oracle Java 6]]
 * [[http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames|Oracle Java 7]]

See thread "Default SSL ciphers supported by Tomcat 6" from October 2009 [[http://markmail.org/message/zn4namfhypyxum23|here]] for a short program that displays available ciphers in your particular JVM.

'''Sample configuration:'''

{{{
 ciphers="SSL_RSA_WITH_RC4_128_MD5,
           SSL_RSA_WITH_RC4_128_SHA,
           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
           TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
           TLS_ECDH_RSA_WITH_RC4_128_SHA"
}}}

== Using OpenSSL implementation (APR connector) ==

For APR connector the attribute that specifies the list of ciphers is called '''SSLCipherSuite''' and multiple values are separated by a colon (`:`). Generally, it is configured in the same way as `SSLCipherSuite` directive of [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite|mod_ssl of Apache HTTPD server]].
For the list of possible values see [[http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html|OpenSSL documentation]], or run `openssl.exe ciphers -v`.

'''Sample configurations:'''

a)
{{{
 SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW"
}}}

b)
{{{
 SSLCipherSuite="RC4-SHA"
}}}

----
[[CategoryFAQ]]

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org