Given below are the cipher suites that are functional in Tomcat (Tomcat version 7.0.59 with the JSSE providers 7/8) for the following SSL protocols: TLSv1, TLSv1.1 and TLSv1.2. See Configuring Transport-Level Security for instructions on how to enable the required ciphers and to disable the weak ciphers for your WSO2 server.
See the following topics:
Table of Contents |
---|
Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.8
The following cipher suites are supported by Tomcat version 7.0.59 and Oracle JDK 1.8:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256256
The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat 7.0.59 and Oracle JDK 1.8:
...
Given below are the cipher suites that are functional in Tomcat (Tomcat version 7.0.59 with the JSSE providers 7/8) for the following SSL protocols: TLSv1, TLSv1.1 and TLSv1.2. See Configuring Transport-Level Security for instructions on how to enable the required ciphers and to disable the weak ciphers for your WSO2 server.
See the following topics:
Table of Contents
Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.8
The following cipher suites are supported by Tomcat version 7.0.59 and Oracle JDK 1.8:
TLS_ECDHE_ECDSA_WITH_AES_256128_GCMCBC_SHA384SHA256
TLS_ECDHE_RSA_WITH_AES_256128_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
CBC_SHA256
TLS_ECDHDHE_RSA_WITH_AES_256128_GCMCBC_SHA384SHA256
TLS_DHEECDHE_RSAECDSA_WITH_AES_256128_GCMCBC_SHA384SHA
TLS_DHEECDHE_DSSRSA_WITH_AES_256_GCM_SHA384
Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.7
...
128_CBC_SHA
TLS_ECDHEDHE_ECDSARSA_WITH_AES_128_CBC_SHA256SHA
TLS_ECDHE_RSAECDSA_WITH_AES_128_CBCGCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBCGCM_SHA256
TLS_ECDHDHE_ECDSARSA_WITH_AES_128_CBC_SHA256_GCM_SHA256
The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat 7.0.59 and Oracle JDK 1.8:
TLS_ECDHECDHE_RSAECDSA_WITH_AES_128256_CBC_SHA256SHA384
TLS_DHEECDHE_RSA_WITH_AES_128256_CBC_SHA256SHA384
TLS_DHE_DSSRSA_WITH_AES_128256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128256_CBC_SHA
TLS_ECDHECDHE_ECDSA_WITH_AES_128256_CBCGCM_SHASHA384
TLS_ECDHECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
256_GCM_SHA384
TLS_DHE_DSSRSA_WITH_AES_128256_CBC_SHAGCM_SHA384
Cipher suites supported by Tomcat 7.0.59 and Oracle JDK 1.7
The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with are supported by Tomcat version 7.0.59 and Oracle JDK 1.7:
TLS_ECDHE_ECDSA_WITH_AES_256128_CBC_SHA384SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256128_CBC_SHA256
TLS_ECDHDHE_ECDSARSA_WITH_AES_256128_CBC_SHA384SHA256
TLS_ECDHECDHE_RSAECDSA_WITH_AES_256128_CBC_SHA384SHA
TLS_DHEECDHE_RSA_WITH_AES_256128_CBC_SHA256SHA
TLS_DHE_DSSRSA_WITH_AES_256_CBC_SHA256128_CBC_SHA
The following additional cipher suites will be supported if JCE Unlimited Strength Jurisdiction Policy is used with Tomcat version 7.0.59 and Oracle JDK 1.7:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHASHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHASHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHASHA256
TLS_ECDHECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Weak ciphers
Note |
---|
Listed below are the relatively weaker cipher suites (which use DES/3DES, RC4 and MD5). It is not recommended to use these cipher suites for the following reasons:
|
The following cipher suites are weak for Tomcat version 7.0.59 when either JDK version (7/8) is used. The same applies if JCE Unlimited Strength Jurisdiction Policy is used.
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
The following cipher suites are weak for Tomcat version 7.0.59 and JDK version 1.7:
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5