背景知识:
1、cipher 是由服务进行端选择的。
2、服务端选择之前会和客户端进行协商,优先选择客户端支持的cipher。
3、如果客户端支持的cipher都不被服务端支持,则通信异常。
4、Tomcat设置cipher的方法为:在server.xml中SSL connector中的ciphers字段中设置相应的套件。
5、Tomcat7.0支持设置cipher的优先顺序,但需要Tomcat 7.0.60以上版本及JAVA 8或更新的JAVA版本。
6、如果Tomcat不设置cipher的优先顺序,服务端将以客户端的cipher列表中的先后顺序选择cipher。
7、Tomcat cipher的顺序:server.xml的ciphers字段中的顺序决定了协商时的优先顺序,所以应该将同意使用的套件按安全性强弱排列。
useServerCipherSuitesOrder:
Set to true to enforce the server's cipher order (from the ciphers setting). Set to false to choose >the first acceptable cipher suite presented by the client. Use of this feature requires Java 8 or >later. Default is undefined, leaving the choice up to the JSSE implementation.
版本支持:
Tomcat 7.0.60 (violetagg)
Catalina55988: Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This >feature requires Java 8 and is controlled by useServerCipherSuitesOrder attribute on an HTTP >connector. Based upon patches provided by Ognjen Blagojevic. (schultz)</pre>
设置方法:
<Connector port="8443"
protocol="user.Http11Protocol"
SSLEnabled="true"
sslEnabledProtocols="TLSv1,TLSv1.2"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
scheme="https"
secure="true"
clientAuth="false"
connectionTimeout="20000"
redirectPort="8443"
URIEncoding="UTF-8"
keystoreFile="keystore.jks"
keystorePass="password" />参考:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html