How to Disable SSL weak Ciphers in Tomcat Server

If your website is supporting weak ciphers then there is a potential security risk, as the main reason behind supporting these ciphers is supporting old browsers but supporting old browsers can be risky idea since the internet is full of viruses/malwares for old browsers. What that means is a user with an old browser is potentially infected by a malware already.

As the latest browsers are freely downloadable its a wise thing to ask your clients to move to some latest browser like Firefox. Its wise step to remove support for weak ciphers from your web server.
Paypal.com doesn't support old browsers any more, and many other people are also stopping support to old browsers.

In this article I am trying to cover one of the best practice of setting up SSL in Tomcat setup for disabling weak ciphers.

If you are using Tomcat 5.5 or tomcat 6 on JDK1.6 Following ciphers are enabled by default

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA




From the above list the Weak Ciphers are

SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA



Please follow below steps for disabling Weak ciphers on Apache Tomcat server

In order to disable weak ciphers, we need to modify the SSL Connector container attribute in server.xml file, which is located in

${CATALINA_HOME}/conf/server.xml

1. Take a backup of server.xml file.



2. Add below values to the existing config.


ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"




For Example:


acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="MyJeyFile.key" keystorePass="Poodle"
truststoreFile="MyTrustStore.truststore" truststorePass="MyPass"/>                          





3. Restart tomcat and new security settings should be in effect.

Does my Tomcat Version support these security config?



These security config are part of Tomcat since version 4.1.32, so if you are using Tomcat version before 4.1.32 then above config may not work. For these settings to work as expected you may need to upgrade to Tomcat 4.1.32 or later.

Check Apache Tomcat 4 - Security Upgrade notes section "Fixed in Apache Tomcat 4.1.32" for details of this issue.

Let us know if you are facing any issues in configuration of tomcat.

Tomcat6 weak ciphers, Tomcat weak ciphers, Disable weak ciphers on Tomcat, Do not allow tomcat weak ciphers, Block tomcat weak ciphers, Stop tomcat weak ciphers, tomcat6 weak encryption ciphers, siphers, cyphers, cypher,sypher,tomcat security, tomcat admin security, Tomcat5 ciphers, Tomcat best practices, Tomcat security best practice, modify tomcat "server xml" ciphers, how to find weak ciphers in tomcat, tomcat on https, tomcat on ssl, tomcat and ssl, configuring tomcat, tomcat https, tomcat security, tomcat tutorial, configure tomcat, tomcat configuration, tomcat ssl, tomcat how to, tomcat6 ssl, tomcat5 ssl, tomcat4 ssl, tomcat security loophole, tomcat security weakness, tomcat security tutorial, tomcat security training

Related

Tomcat 6536708339058261829

Post a Comment Default Comments

  1. Why this setting not disabled in Tomcat by default? I guess it should be.

    ReplyDelete
  2. Tomcat is supporting these weak cyphers from long time and they have a made it configurable so that people can block if they need to. Ideally you would not want these ciphers to be blocked unless you are really concerned about security of your site.

    ReplyDelete
  3. I made similuar modification for Tomcat 4.1.29, but it doesn't work.

    Can anybody comment more on what to do to remove weak ciphers for Tomcat 4.1.29 and Java 1.6.0.04

    ReplyDelete
  4. Can you please post your config file please? I can look into it and let you know.

    ReplyDelete
  5. Do you have a valid certificate installed on Tomcat? Let me know if you see some errors in the tomcat server log file.

    ReplyDelete
  6. The tomcat developers integrated the coyote connector from tomcat 5.5.x in the tomcat 4.1.32 branch, which allowed the full range of protocol configuration options available in tomcat 5.5 to become available in tomcat 4.1. 'ciphers' will not work in anything below tomcat 4.1.32

    ReplyDelete
  7. @6p01156fbc6fe6970c - Thanks for the help.

    @ah - Is there any way you can upgrade to a later version of tomcat?

    ReplyDelete
  8. Check Tomcat 4 - Security Upgrade notes. Check the section "Fixed in Apache Tomcat 4.1.32" for details of this issue.

    ReplyDelete
  9. There's an EXTREMELY irritating floating box with Like, Tweet, +1 and Share button on the middle of your page, in front of the text I'm trying to read. Can you do something about that?

    ReplyDelete
    Replies
    1. Captain - Thanks for your feedback. Let me fix that. This was part of new design and the add this share toolbar is kinda irritating to me as well. I am going to try some better share links instead. Bear with me for some time will surely fix it.

      Delete
    2. Just changed the share mechanism, This is not the best either. However it should be less irritating. I am still looking for best performance sharing options. Tried a several with no good results. Thanks for letting me know. I hope this makes it simple for you to read.

      Delete
  10. Hi Sachin FromDev
    I’m not a guy who knows these settings much. But our client has asked to Disable SSL weak Ciphers in Tomcat Server. We use Tomcat 6.0.29 and IIS as web server. My server.xml has two connectors





    IIS connects this tomcat on 8229

    Which connector tag should I put these setting into?
    Please help me. I don’t have much knowledge on this.

    ReplyDelete
  11. Hi Sachin FromDev
    I’m not a guy who knows these settings much. But our client has asked to Disable SSL weak Ciphers in Tomcat Server. We use Tomcat 6.0.29 and IIS as web server. My server.xml has two connectors





    IIS connects this tomcat on 8229

    Which connector tag should I put these setting into?
    Please help me. I don’t have much knowledge on this.

    Regards,
    Dev

    ReplyDelete
  12. thanks very much!

    some times we need to disable the ssl

    ReplyDelete

Individuals who comment on FromDev at regular basis, will be rewarded in Top Commenter section. (Comments are selectively moderated so please do not spam)

emo-but-icon

item