Summary: | java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder during tomcat 8.5.0 start | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Huxing Zhang <huxing.zhang> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 8.0.x-trunk | ||
Target Milestone: | ---- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: | remove honorCipherOrder in SSLConfig configuration |
Description
Huxing Zhang
2016-03-22 06:07:19 UTC
Created attachment 33689 [details]
remove honorCipherOrder in SSLConfig configuration
Hi, Thanks for the report and the patch. The fix will be available from 9.0.0.M5 and 8.5.1 onwards. Regards, Violeta Hi Violeta, Should this patch be applied to 9.0.0.x? I main concern is: Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat will prefer a cipher suite that is blacklisted by HTTP/2. [1] [1] http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/Http2UpgradeHandler.html (In reply to Huxing Zhang from comment #3) > Hi Violeta, > > Should this patch be applied to 9.0.0.x? I main concern is: > Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat > will prefer a cipher suite that is blacklisted by HTTP/2. [1] Yep you are right I'll revert that in 9.0.0.x Thanks, Violeta > [1] > http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/ > Http2UpgradeHandler.html (In reply to Huxing Zhang from comment #3) > Hi Violeta, > > Should this patch be applied to 9.0.0.x? I main concern is: > Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat > will prefer a cipher suite that is blacklisted by HTTP/2. If that cipher suite has been blacklisted by h2, then why are you specifying it in your cipher suites list, or why are you specifying it early in the list of supported cipher suites? Hi, I think specifying cipher suites is another solution, but may be more complicate, because: 1) we don't know what http version client will use, HTTP/1.x over TLS or HTTP/2 over TLS 2) different client may support different protocols, e.g. ECDHE-ECDSA-CHACHA20-POLY1305 is only supported by Chrome You have to care about the cipher list, as well as the cipher order. |