Configuring Spectrum Tomcat cipher order for ssl

Document ID : KB000122458
Last Modified Date : 05/12/2018
Show Technical Document Details
Introduction:
According to Oracle documentation, you can configure the tomcat server to utilize the ciphers on the Tomcat server instead of using the client ciphers:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html 
 
honorCipherOrder

Set to true to enforce the server's cipher order (from the ciphers setting) instead of allowing the client to choose the cipher. The default is false.

Instructions:
The honorCipherOrder does not work.  Instead, you need to use the Alias:

 
useServerCipherSuitesOrder

This is an alias for the honorCipherOrder attribute of the default SSLHostConfig element.


In the $SPECROOT/tomcat/conf/server.xml file, add the following to the SSL connector statement:

useServerCipherSuitesOrder="true"

Cycle the Spectrum Tomcat process.

 
Additional Information:
When using testssl.sh script (obtained from the web, this is not a CA or Broadcom script) you can see:

Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 570 bit ECDH (B-571)
 Cipher order
    TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384