JDK 11 and some Cipher Suite are not working that are configured in conf/server.xml but it does not work

Question

I have configured 4 ciphers in server.xml file as following but ONLY 2 RSA are working and ECDHE_ECDSA does not work. I have scan tomcat with multiple tools only RSA are showing in all.

How can I make TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 work?

<Connector port="${tomcat.secure.port}" protocol="org.apache.coyote.http11.Http11NioProtocol"
           address="${tomcat.address}" maxThreads="150" SSLEnabled="true"  
           scheme="https" secure="true" maxSwallowSize="-1" maxPostSize="-1">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" readTimeout="50000" streamReadTimeout ="-1" streamWriteTimeout="-1"
    overheadContinuationThreshold="0" overheadDataThreshold="0" overheadWindowUpdateThreshold="0"/>
    <SSLHostConfig protocols="TLSv1.2+TLSv1.3"
         ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256">
        <Certificate certificateKeystoreFile="/tmp/tomcat_keystore.jks"
                     certificateKeystorePassword="${keystore.password}"
                     certificateKeyPassword="${key.password}"
                     certificateKeystoreType="PKCS12"
                     certificateKeystoreProvider="SUN"/>
    </SSLHostConfig>
</Connector>




APACHE TOMCAT/9.0.53
java --version 
openjdk 11.0.11 2021-04-20
OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.14.04)
OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.14.04, mixed mode, sharing)

Scan Result:

nmap --script ssl-enum-ciphers -p 443 10.40.43.26                                                                         
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-28 18:08 PST
Nmap scan report for vd (10.40.43.26)
Host is up (0.021s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

sslscan 10.40.43.26:443
Version: 2.0.11-static
OpenSSL 1.1.1m  14 Dec 2021

Connected to 10.40.43.26

Testing SSL server 10.40.43.26 on port 443 using SNI name 10.40.43.26

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253


  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Answer 1

ECDSA ciphers require that the server has an ECC certificate. It is likely that you have only a RSA certificate though (which is the common case), which means that ECDSA ciphers will not be supported even if they are configured.