Securing SSL in Tomcat- Part Three - OpenSSL instead of JSSE
Some implementations of tomcat differ from the version downloadable from tomcat.apache.org in that they utilize the APR connector. When using SSL with the APR connector, the ciphers directive normally used in server.xml mentioned in Part Two of this series, will not work. This is because APR uses a native connection and for SSL a native connection uses OpenSSL instead of JSSE.
If you want to disable weak encryption ciphers and your http connector is using Http11AprProtocol vs. using Http11Protocol or even the non-blocking Http11NioProtocol, use the SSLCipherSuite directive instead of using ciphers. Since you're using OpenSSL with an ARP tomcat implementation, the same string to disable SSL on a BigIP or with Apache works in tomcat. The following command will disable weak, null, and anonymous ciphers in a Tomcat apr connector implementation:
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
Note: If you are using a non-apr/non-native http connector in tomcat (Http11Protocol or Http11NioProtocol) see Part Two instead. Part Two details how to disable weak encryption ciphers using a java connector, which uses JSSE for SSL support.
