JSSE Configuration in Tomcat - enable AES256 cipher

StackOverflow https://stackoverflow.com/questions/12192616

  •  29-06-2021
  •  | 
  •  

Question

What are the ciphers supported by JSSE in Apache Tomcat server? How can i enable AES256 and reorder the ciphers?

Was it helpful?

Solution

If you aren't using the APR native connector, Tomcat supports whatever Java supports, which does include AES256, possibly requiring the unlimited-strength crypto JARs.

If you are using native APR, Tomcat supports whatever its OpenSSL supports, which you can determine, somehow, via the OpenSSL.exe command.

The enabled cipher suites should be configurable in the Connector element of server.xml.

OTHER TIPS

HOWTO: Get Tomcat to use the 256-bit AES (and other algorithm ciphers)

1) Most likely you don't have the unlimited strength file installed now.

You may need to download this file:

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Install the file in 

${java.home}/jre/lib/security/

2) edit your server.xml file and put in only the 256 bit ciphers:

EXAMPLE: W/ 256 only

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore.p12"
keystorePass="<MY_PASSWORD>" keystoreType="PKCS12"
clientAuth="want" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" 
ciphers="ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />

EXAMPLE: W/ 256 & 128

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore.p12"
keystorePass="<MY_PASSWORD>" keystoreType="PKCS12"
clientAuth="want" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

3) restart tomcat and and hit the main default tomcat page:

https://localhost:8443/

REFERENCES:

= = = = = = = = = = = = =

Java Security: Illegal key size or default parameters?

java aes 256 java.security.InvalidKeyException: Illegal key size after installation the policy

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO

http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4

http://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv

http://blog.bitmelt.com/2013/11/tomcat-ssl-hardening.html

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top