Versions Compared

Old Version 8

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Given below are the cipher suites that are functional in Tomcat (Tomcat version 7.0.59 with the JSSE providers 7/8) for the following SSL protocols: TLSv1, TLSv1.1 and TLSv1.2. See Configuring Transport-Level Security for instructions on how to enable the required ciphers and to disable the weak ciphers for your WSO2 server.

See the following topics:

Table of Contents

Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.8

The following cipher suites are supported by Tomcat version 7.0.59 and Oracle JDK 1.8:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256256 

The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat 7.0.59 and Oracle JDK 1.8:

...

Given below are the cipher suites that are functional in Tomcat (Tomcat version 7.0.59 with the JSSE providers 7/8) for the following SSL protocols: TLSv1, TLSv1.1 and TLSv1.2. See Configuring Transport-Level Security for instructions on how to enable the required ciphers and to disable the weak ciphers for your WSO2 server.

See the following topics:

Table of Contents

Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.8

The following cipher suites are supported by Tomcat version 7.0.59 and Oracle JDK 1.8:

  • TLS_ECDHE_ECDSA_WITH_AES_256128_GCMCBC_SHA384SHA256
  • TLS_ECDHE_RSA_WITH_AES_256128_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384CBC_SHA256
  • TLS_ECDHDHE_RSA_WITH_AES_256128_GCMCBC_SHA384SHA256
  • TLS_DHEECDHE_RSAECDSA_WITH_AES_256128_GCMCBC_SHA384SHA
  • TLS_DHEECDHE_DSSRSA_WITH_AES_256_GCM_SHA384

Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.7

...

  • 128_CBC_SHA
  • TLS_ECDHEDHE_ECDSARSA_WITH_AES_128_CBC_SHA256SHA
  • TLS_ECDHE_RSAECDSA_WITH_AES_128_CBCGCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBCGCM_SHA256
  • TLS_ECDHDHE_ECDSARSA_WITH_AES_128_CBC_SHA256_GCM_SHA256

The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat 7.0.59 and Oracle JDK 1.8:

  • TLS_ECDHECDHE_RSAECDSA_WITH_AES_128256_CBC_SHA256SHA384
  • TLS_DHEECDHE_RSA_WITH_AES_128256_CBC_SHA256SHA384
  • TLS_DHE_DSSRSA_WITH_AES_128256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128256_CBC_SHA
  • TLS_ECDHECDHE_ECDSA_WITH_AES_128256_CBCGCM_SHASHA384
  • TLS_ECDHECDHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA256_GCM_SHA384
  • TLS_DHE_DSSRSA_WITH_AES_128256_CBC_SHAGCM_SHA384

Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.7

The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with are supported by Tomcat version 7.0.59 and Oracle JDK 1.7:

  • TLS_ECDHE_ECDSA_WITH_AES_256128_CBC_SHA384SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_RSA_WITH_AES_256128_CBC_SHA256
  • TLS_ECDHDHE_ECDSARSA_WITH_AES_256128_CBC_SHA384SHA256
  • TLS_ECDHECDHE_RSAECDSA_WITH_AES_256128_CBC_SHA384SHA
  • TLS_DHEECDHE_RSA_WITH_AES_256128_CBC_SHA256SHA
  • TLS_DHE_DSSRSA_WITH_AES_256_CBC_SHA256128_CBC_SHA

The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat version 7.0.59 and Oracle JDK 1.7:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHASHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHASHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHASHA256
  • TLS_ECDHECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Weak ciphers

Note

Listed below are the relatively weaker cipher suites (which use DES/3DES, RC4 and MD5). It is not recommended to use these cipher suites for the following reasons:

  • DES/3DES are deprecated and should not be used.

  • MD5 should not be used due to known collision attacks.

  • RC4 should not be used due to crypto-analytical attacks. 

  • DSS is limited to 1024 bit key size.

  • Cipher-suites that do not provide Perfect Forward Secrecy/ Forward Secrecy (PFS/FS).

The following cipher suites are weak for Tomcat version 7.0.59 when either JDK version (7/8) is used. The same applies if JCE Unlimited Strength Jurisdiction Policy is used. 

  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

The following cipher suites are weak for Tomcat version 7.0.59 and JDK version 1.7:

  • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_SHA
  • TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  • TLS_ECDH_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_RC4_128_MD5