What ciphers are compatible with both Java 6/Tomcat 7 and IE8 (XP)?

Question

I have disabled SSL3 and restricted the ciphers available to a recommended set but now I can't access my server using IE8 on Windows XP. If I allow all ciphers then I can connect using IE8 but when I specify a restricted set of ciphers I can't. Seems to me that I need to add the right cipher and then IE8 will work fine.

When I have all ciphers enabled and access the site using IE8 I can see the connection is using TLS 1.0, RC4 with 128 bit encryption and RSA:

Internet Explorer 8 https connection

I tried adding this cipher: TLS_RSA_WITH_RC4_128_SHA. But I don't think Tomcat/Java recognised it.

My connector looks like this:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" keystoreFile="C:\somewhere\my.keystore"
           ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
           TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
           TLS_RSA_WITH_AES_256_CBC_SHA" />

I'm using Tomcat 7 and Java 6

This might be a red herring but I've been referring to these cipher suites as I think I'm restricted to these by Java 6. Additionally I've been referring to the ciphers this document (page 30) says IE8 on XP supports. Unfortunately I can't find a match between the 2 sets of ciphers.

UPDATE:

My IE8 browser on XP seems to only support these cipher suites:

enter image description here

I've updated the ciphers for Tomcat to include all of these but I still can't connect:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_DES_CBC_SHA,TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,TLS_RSA_EXPORT_WITH_RC4_40_MD5,TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_DES_CBC_SHA,TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"

I don't know why I can connect with ALL ciphers enabled but if I specify every cipher supported by the browser I still can't connect

So it's not connecting with the cipher spec you have listed, correct? But with all ciphers enabled on the same Tomcat service it connects? — Shane Madden, Nov 19 '14 at 18:16
That's right. So there must be a common cipher that both support... surely — Edd, Nov 19 '14 at 18:23
That works... but isn't this an SSL connection? My main intention is to disable SSL and weak ciphers where possible — Edd, Nov 19 '14 at 18:38

score 3 · Accepted Answer · answered Nov 19 '14 at 18:44

SSL_RSA_WITH_RC4_128_SHA should work - the reason for this is just a difference in terminology, the ciphers in Java 6 that required TLS were the only ones that have the TLS on the name. This particular cipher spec works under TLS as well as SSL despite the name.

This configuration should allow connections from IE8 on XP while still rejecting SSLv3 connections, since the enabled protocols are controlled with sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1".

Verify that it's not accepting SSLv3 connections with openssl s_client -ssl3 -connect example.com:443.

What ciphers are compatible with both Java 6/Tomcat 7 and IE8 (XP)?

UPDATE:

1 Answers1