Tomcat does not support ECDHE-ECDSA* ciphers. Configuration and version information is given below.
- OS is CentOS 6.5 x64
- Tomcat version is 7.0.56 Tomcat native version is 1.1.30 (Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.3.9.)
- Java is Oracle jdk1.8.0_20
SSL config in Tomcat server.conf:
SSLHonorCipherOrder="true" SSLDisableCompression="true"
SSLCipherSuite="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA38:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:AES128-GCM-SHA256:AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5"
But sslscan script displays as ECDHE-ECDSA* ciphers as "Failed"
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
SSLLabs site also does display ECDHE-ECDSA* ciphers.
I know the mentioned bug record here https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 it is closed-fixed (and verified)
sslscan script with the above configured SSLCipherSuite returns only the following ciphers as accepted.
Accepted SSLv3 256 bits ECDHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits DES-CBC3-SHA
Accepted SSLv3 128 bits ECDHE-RSA-RC4-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits DES-CBC3-SHA
Accepted TLSv1 128 bits ECDHE-RSA-RC4-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Any help is appreciated.
