Configuration#

The ciphers for JSSE connector can be configured in the ciphers attribute of the SSLHostConfig element as follows:

<Connector ...>
``    <SSLHostConfig … \ ``ciphers="...">
``        <Certificate …/>``
``    ``

According to Tomcat documentation, the ciphers can be specified in several ways:

For example:

<SSLHostConfig ... ``\ ``ciphers="DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES128-GCM-SHA256">

The order in which ciphers are defined is treated as an order of preference. See also honorCipherOrder.

If the ciphers attribute is not specified, by default it will use the following ciphers:

<SSLHostConfig ... ``\ ``ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA">

To list the default ciphers:

$ openssl ciphers 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA' | tr ':' '\n'
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
...

Default Ciphers#

The following ciphers are enabled by default by JSSE with RSA certificate:

Cipher ID

IANA/NSS Cipher Name

OpenSSL Cipher Name

0xc030

TLS_ECDHE_RS A_WITH_AES_256_GCM_SHA384

EC DHE-RSA-AES256-GCM-SHA384

0x0033

TLS_DHE _RSA_WITH_AES_128_CBC_SHA

DHE-RSA-AES128-SHA

0x0039

TLS_DHE _RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

0x0067

TLS_DHE_RS A_WITH_AES_128_CBC_SHA256

DHE-RSA-AES128-SHA256

0x006b

TLS_DHE_RS A_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

0x009e

TLS_DHE_RS A_WITH_AES_128_GCM_SHA256

DHE-RSA-AES128-GCM-SHA256

0x009f

TLS_DHE_RS A_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384

0xc013

TLS_ECDHE _RSA_WITH_AES_128_CBC_SHA

ECDHE-RSA-AES128-SHA

0xc014

TLS_ECDHE _RSA_WITH_AES_256_CBC_SHA

ECDHE-RSA-AES256-SHA

0xc027

TLS_ECDHE_RS A_WITH_AES_128_CBC_SHA256

ECDHE-RSA-AES128-SHA256

0xc028

TLS_ECDHE_RS A_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

0xc02f

TLS_ECDHE_RS A_WITH_AES_128_GCM_SHA256

EC DHE-RSA-AES128-GCM-SHA256

The following ciphers are enabled by default by JSSE with ECC certificate:

Cipher ID

IANA/NSS Cipher Name

OpenSSL Cipher Name

0xc02b

TLS_ECDHE_ECDS A_WITH_AES_128_GCM_SHA256

ECDH E-ECDSA-AES128-GCM-SHA256

0xc02c

TLS_ECDHE_ECDS A_WITH_AES_256_GCM_SHA384

ECDH E-ECDSA-AES256-GCM-SHA384

0xc009

TLS_ECDHE_E CDSA_WITH_AES_128_CBC_SHA

ECDHE-ECDSA-AES128-SHA

0xc00a

TLS_ECDHE_E CDSA_WITH_AES_256_CBC_SHA

ECDHE-ECDSA-AES256-SHA

0xc023

TLS_ECDHE_ECDS A_WITH_AES_128_CBC_SHA256

ECDHE-ECDSA-AES128-SHA256

0xc024

TLS_ECDHE_ECDS A_WITH_AES_256_CBC_SHA384

ECDHE-ECDSA-AES256-SHA384

FIPS Ciphers#

If the Tomcat is configured as follows:

<SSLHostConfig ciphers="DHE-RSA-AES128-SHA,DHE-RSA-AES256-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES256-SHA256,DHE-RSA-AES128-GCM-SHA256,AES128-SHA256,AES256-SHA256">

Tomcat will support the following ciphers:

Cipher ID

IANA/NSS Cipher Name

OpenSSL Cipher Name

0x0039

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

0x006b

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

If the Tomcat is configured as follows:

<SSLHostConfig ciphers="TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL">

Tomcat will support the following ciphers:

Cipher ID

IANA/NSS Cipher Name

OpenSSL Cipher Name

0xc028

TLS_ECDHE_RS A_WITH_AES_256_CBC_SHA384

ECDHE-RSA-AES256-SHA384

0xc030

TLS_ECDHE_RS A_WITH_AES_256_GCM_SHA384

EC DHE-RSA-AES256-GCM-SHA384

0x006b

TLS_DHE_RS A_WITH_AES_256_CBC_SHA256

DHE-RSA-AES256-SHA256

0x009f

TLS_DHE_RS A_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384

References#