This is now beginning to sound like a Tomcat configuration question. Although I have no personal experience with Tomcat, some links suggest that this section of the Tomcat documentation guide looks appropriate, in particular the ciphers
attribute in the configuration file conf/server.xml
. From the docs:
ciphers
attribute:
The ciphers to enable using the OpenSSL syntax. (See the OpenSSL
documentation for the list of ciphers supported and the syntax).
Alternatively, a comma separated list of ciphers using the standard
OpenSSL cipher names or the standard JSSE cipher names may be used.
When converting from OpenSSL syntax to JSSE ciphers for JSSE based
connectors, the behaviour of the OpenSSL syntax parsing is kept
aligned with the behaviour of the OpenSSL 1.1.0 development branch.
Only the ciphers that are supported by the SSL implementation will be
used.
If not specified, a default (using the OpenSSL notation) of
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA will be used.
Note that, by default, the order in which ciphers are defined is
treated as an order of preference. See honorCipherOrder.
So you now have a way to specify what you want. Actually, you have two ways, either OpenSSL syntax or a JSSE ciphersuite list, and each has it's pros and cons.
The OpenSSL syntax provides a compact specification that allows you specify what you don't want in addition to what you do. The downside is that the terse notation makes it hard to understand just what you're getting.
The JSSE ciphersuite syntax is quite straightforward. You just explicitly list each allowable ciphersuite from this (check here for Java 11)long list, separated by commas. The downside is that as new ciphers are added over time you will have to add to this list to allow their use.