Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m trying to create a self signed certificate for use with Apache Tomcat 6. Every certificate I can make always results in the browser connecting with AES-128. The customer would like me to demonstrate that I can create a connection at AES-256.
I’ve tried java’s keytool and openssl. I’ve tried with a variety of parameters, but can’t seem to specify anything about the keysize, just the signature size.
How can I get the browser-tomcat connection to use AES-256 with a self signed certificate?
Okie doke, I think I just figured this out.
As I said above, the key bit of knowledge is that the cert doesn’t matter, so long as it’s generated with an algorithm that supports AES 256-bit encryption (e.g., RSA). Just to make sure that we’re on the same page, for my testing, I generated my self-signed cert using the following:
Now, you have to make sure that your Java implementation on your server supports AES-256, and this is the tricky bit. I did my testing on an OS X (OS 10.5) box, and when I checked to see the list of ciphers that it supported by default, AES-256 was NOT on the list, which is why using that cert I generated above only was creating an AES-128 connection between my browser and Tomcat. (Well, technically, TLS_RSA_WITH_AES_256_CBC_SHA was not on the list — that’s the cipher that you want, according to this JDK 5 list.)
For completeness, here’s the short Java app I created to check my box’s supported ciphers:
It turns out that JDK 5, which is what this OS X box has installed by default, needs the ‘Unlimited Strength Jurisdiction Policy Files’ installed in order to tell Java that it’s OK to use the higher-bit encryption levels; you can find those files here (scroll down and look at the top of the ‘Other Downloads’ section). I’m not sure offhand if JDK 6 needs the same thing done, but the same policy files for JDK 6 are available here, so I assume it does. Unzip that file, read the README to see how to install the files where they belong, and then check your supported ciphers again… I bet AES-256 is now on the list.
If it is, you should be golden; just restart Tomcat, connect to your SSL instance, and I bet you’ll now see an AES-256 connection.