Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How to disable weak ciphers in Apache Tomcat 8.5.15 |
|
| Author |
|
new2apache
Joined: 21 Dec 2018
Posts: 2
|
 Posted: Fri 21 Dec '18 16:09 Post subject: How to disable weak ciphers in Apache Tomcat 8.5.15 |
 |
|
Hello,
I am being pinged by our security folks on scans stating that we still use 3DES ciphers. This system is running on a Windows Server. I have tried several different ways to add ciphers and lists of weak ciphers but when I run a scan I still show them being weak. I want to know where in the connector settings do I put the ciphers and what other options are needed to block weak ciphers? I appreciate any help you can give. Here is a copy of our scrubbed server.xml
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="XXXXXXXXXXXXXXXXXXXXXXXXX">
<Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="800"
minSpareThreads="80"
maxSpareThreads="160"
SSLEnabled="true"
secure="true"
scheme="https"
compression="off"
compressableMimeType="text/html,text/xml,text/plain">
<!-- Authentication settings (below) -->
<SSLHostConfig disableSessionTickets="true">
<!-- SSL certificate settings (below) -->
<Certificate certificateKeystoreFile="XXXXXXXXXXXXXXXXXXXXXXXXX"
certificateKeystorePassword="XXXXXXXXXXXXXXXXXXXXXXXXX"
certificateKeyAlias="XXXXXXXXXXXXXXXXXXXXXXXXX"
type="RSA" />
</SSLHostConfig>
</Connector>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
<Engine name="Catalina" defaultHost="XXXXXXXXXXXXXXXXXXXXXXXXX">
<Host name="XXXXXXXXXXXXXXXXXXXXXXXXX"
appBase="XXXXXXXXXXXXXXXXXXXXXXXXX"
unpackWARs="true"
autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="XXXXXXXXXXXXXXXXXXXXXXXXX"
suffix=".txt"
pattern="common" />
<Context path="/XXXXXXXXXXXXXXXXXXXXXXXXX"
docBase="XXXXXXXXXXXXXXXXXXXXXXXXX" />
</Host>
</Engine>
</Service>
</Server> |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Sat 22 Dec '18 11:24 Post subject: |
|
|
On my test-server I run this configuration which might be used as a blueprint for your configuration:
| Code: | <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2"
sslVerifyClient="optional"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_
WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA">
<Certificate certificateKeystoreFile="conf/lcorei5.jks"
certificateKeystorePassword="*****"
type="RSA" />
</SSLHostConfig>
</Connector>
|
|
|
| Back to top |
|
new2apache
Joined: 21 Dec 2018
Posts: 2
|
| Posted: Fri 28 Dec '18 0:15 Post subject: Still not working |
|
|
| From what I found most of those commands were deprecated after 5.5 I believe. I translated those into 8.5 but am still having issues. Are the ciphers you are using the strong ciphers or a list of all weak and strong? |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 28 Dec '18 21:07 Post subject: |
|
|
Stripped my config down to this (still working  ) version - now tomcat is not complaining about deprecated options/settings anymore:
| Code: | <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="conf/lcorei5.jks"
keystorePass="***"
clientAuth="false"
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,[.....]">
</Connector> |
To use only high-secure-ciphers you may visit https://wiki.mozilla.org/Security/Server_Side_TLS
But keep in mind that you might have some old clients that cannot use the most modern ciphers.  |
|
| Back to top |
|
|
|
|
|
|
