SSL证书加密算法优化之 Tomcat

  • 首页
  • SSL证书、代码签名证书常见的问题

SSL证书加密算法优化之 Tomcat

优化加密算法 (cipher)

(a)适用于 Tomcat 5, 6

Tomcat 目录下该文件“Server.xml” 加入绿色标出的字

<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true" clientAuth="false"

keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"

truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"

sslProtocol="TLSv1, TLSv1.1, TLSv1.2"

SSL_RSA_WITH_RC4_128_MD5,

SSL_RSA_WITH_RC4_128_SHA,

TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

SSL_RSA_WITH_3DES_EDE_CBC_SHA,

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,

SSL_RSA_WITH_DES_CBC_SHA,

SSL_DHE_RSA_WITH_DES_CBC_SHA,

SSL_DHE_DSS_WITH_DES_CBC_SHA,

SSL_RSA_EXPORT_WITH_RC4_40_MD5,

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,

"/>

(b)适用于 Tomcat 7, 8

Tomcat 目录下该文件“Server.xml” 加入绿色标出的字

<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true" clientAuth="false"

keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"

truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun" 

sslProtocol="TLSv1, TLSv1.1, TLSv1.2" 

ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 

TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, 

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 

TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 

TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 

TLS_ECDH_RSA_WITH_RC4_128_SHA, 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 

TLS_RSA_WITH_AES_256_GCM_SHA384, 

TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 

TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 

TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 

TLS_RSA_WITH_AES_128_GCM_SHA256, 

TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,

TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 

TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 

TLS_EMPTY_RENEGOTIATION_INFO_SCSVF

"/>