How to control the SSL ciphers available to Tomcat

I'm unable to disable weak SSL ciphers in Tomcat as documented in many places e.g. http://www.techstacks.com/howto/secure-ssl-in-tomcat.html.

Currently, my connector looks as follows:

..Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Programs\apache-tomcat-6.0.33\keystore" keystorePass="nn"/>

when I attempt a connection (using IE or ssldigger) I get the following error in Tomcat:

java.lang.IllegalArgumentException: Unsupported ciphersuite  SSL_RSA_WITH_RC4_128_SHA
    at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(Unknown Source)
    at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source)
    at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1141)
    at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1096)
    at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1315)
    at java.lang.Thread.run(Unknown So开发者_C百科urce)

Incidentally, I removed the unsupported ciphers (almost one by one) and the only one I was left with that seems to be supported is SSL_RSA_WITH_RC4_128_MD5

Also, I'm assuming that an unsupported cipher is not related to Tomcats's specific key pair but more generally to the broadly available ciphers.

What is wrong here?

---

I figured it out..the comma separated list of ciphers is whitespace sensitive i.e. the culprit is the space character after the comma

---

It wouldn't hurt for you to have told the Tomcat version, as it depends on which tags can be used in the Connection block. I have this similar issue with a web service running on Tomcat 6.0, and have read that for e.g.

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,..." 

Might not work correctly, as the "ciphers" might need to be as SSLCipherSuite, but I am not 100% sure on this. Document which led me to think this might be applicable is found here: https://tomcat.apache.org/tomcat-6.0-doc/apr.html . In that same page, it is also said that the delimiter is not a comma (,) but a colon (:). So for Tomcat 6.0 I would suggest using either:

SSLCipherSuite="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:..."

or

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:..."

Hope this helps someone who has to struggle with Tomcat 6.0 (disregard this answer for Tomcat 6.0.XX or higher.)