3

What are the ciphers supported by JSSE in Apache Tomcat server? How can i enable AES256 and reorder the ciphers?

samvijay
  • 197
  • 5
  • 14
  • For full key lengths, you might need to install the unrestricted policy files for your JVM, see [here](http://www.bouncycastle.org/wiki/display/JA1/Frequently+Asked+Questions). – f_puras Aug 30 '12 at 08:53

2 Answers2

6

HOWTO: Get Tomcat to use the 256-bit AES (and other algorithm ciphers)

1) Most likely you don't have the unlimited strength file installed now.

You may need to download this file:

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Install the file in 

${java.home}/jre/lib/security/

2) edit your server.xml file and put in only the 256 bit ciphers:

EXAMPLE: W/ 256 only

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore.p12"
keystorePass="<MY_PASSWORD>" keystoreType="PKCS12"
clientAuth="want" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
ciphers="ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />

EXAMPLE: W/ 256 & 128

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore.p12"
keystorePass="<MY_PASSWORD>" keystoreType="PKCS12"
clientAuth="want" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

3) restart tomcat and and hit the main default tomcat page:

https://localhost:8443/

REFERENCES:

= = = = = = = = = = = = =

Java Security: Illegal key size or default parameters?

java aes 256 java.security.InvalidKeyException: Illegal key size after installation the policy

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4

http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv

http://blog.bitmelt.com/2013/11/tomcat-ssl-hardening.html

Community
  • 1
  • 1
atom88
  • 1,449
  • 3
  • 22
  • 32
  • With the suggested 256 only ciphers, Chrome 54.0.2840.99 on Windows Server 2012x64 complains "Obsolete Connection Settings - The connection to this site uses a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA), and an obsolete cipher (AES_256_CBC with HMAC-SHA1)." – buzz3791 Nov 18 '16 at 16:52
  • atom88's answer was awesome. Here's a Fall 2016 with Java 8 and unlimited JCE policy installed way to get Tomcat8.5 to only permit TLSv1.2 AES256_GCM: `slEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"` – buzz3791 Nov 18 '16 at 17:33
2

If you aren't using the APR native connector, Tomcat supports whatever Java supports, which does include AES256, possibly requiring the unlimited-strength crypto JARs.

If you are using native APR, Tomcat supports whatever its OpenSSL supports, which you can determine, somehow, via the OpenSSL.exe command.

The enabled cipher suites should be configurable in the Connector element of server.xml.

user207421
  • 305,947
  • 44
  • 307
  • 483