Problem
If you use Tomcat to run Java apps such as Atlassian Confluence (the page you're looking at now), JIRA, etc, via HTTPS, you might have noticed that your app will not support any 256 bit ciphers, however it will support 40 and 56 bit ciphers. The sslscan tool confirms this, and reports:
...
Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used.
Enable 256 bit ciphers
From the Sun website, download the JCE Unlimited Strength Jurisdiction Policy Files 6 Release Candidate.
Unpack the ZIP file - it will contain two jar files: local_policy.jar and US_export_policy.jar.
On our Ubuntu boxes we use the packages sun-java6-jdk, sun-java6-bin, and sun-java6-jre. The files in question are stored in /usr/lib/jvm/java-6-sun/jre/lib/security. Replace the default jar files with the ones you downloaded, then restart your app. It should now support 256 bit ciphers:
| No Format |
|---|
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA |
Disable 40 and 56 bit ciphers
You probably want to disable the very weak ciphers, i.e. the 40 and 56 bit ones. You have to explicitly configure this: take the previous list, include the 256 bit ciphers, leave out the 40 and 56 bit ones, then put the official names (not the OpenSSL equivalent) of the remaining ciphers in your HTTPS config (in my case at the bottom of server.xml). This will look like this:
...