TipsTomcat

How to Disable SSL weak Ciphers in Tomcat Server

3 Mins read

If your website is supporting weak ciphers then there is a potential security risk, as the main reason behind supporting these ciphers is supporting old browsers but supporting old browsers can be risky idea since the internet is full of viruses/malwares for old browsers. What that means is a user with an old browser is potentially infected by a malware already.

As the latest browsers are freely downloadable its a wise thing to ask your clients to move to some latest browser like Firefox. Its wise step to remove support for weak ciphers from your web server.
Paypal.com doesn’t support old browsers any more, and many other people are also stopping support to old browsers.

In this article I am trying to cover one of the best practice of setting up SSL in Tomcat setup for disabling weak ciphers.

If you are using Tomcat 5.5 or tomcat 6 on JDK1.6 Following ciphers are enabled by default

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA


From the above list the Weak Ciphers are

SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Please follow below steps for disabling Weak ciphers on Apache Tomcat server

In order to disable weak ciphers, we need to modify the SSL Connector container attribute in server.xml file, which is located in

${CATALINA_HOME}/conf/server.xml

1. Take a backup of server.xml file.

2. Add below values to the existing config.

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

For Example:


acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="MyJeyFile.key" keystorePass="Poodle"
truststoreFile="MyTrustStore.truststore" truststorePass="MyPass"/>                          



3. Restart tomcat and new security settings should be in effect.

Does my Tomcat Version support these security config?

These security config are part of Tomcat since version 4.1.32, so if you are using Tomcat version before 4.1.32 then above config may not work. For these settings to work as expected you may need to upgrade to Tomcat 4.1.32 or later.

Check Apache Tomcat 4 – Security Upgrade notes section “Fixed in Apache Tomcat 4.1.32” for details of this issue.

Let us know if you are facing any issues in configuration of tomcat.

Tomcat6 weak ciphers, Tomcat weak ciphers, Disable weak ciphers on Tomcat, Do not allow tomcat weak ciphers, Block tomcat weak ciphers, Stop tomcat weak ciphers, tomcat6 weak encryption ciphers, siphers, cyphers, cypher,sypher,tomcat security, tomcat admin security, Tomcat5 ciphers, Tomcat best practices, Tomcat security best practice, modify tomcat “server xml” ciphers, how to find weak ciphers in tomcat, tomcat on https, tomcat on ssl, tomcat and ssl, configuring tomcat, tomcat https, tomcat security, tomcat tutorial, configure tomcat, tomcat configuration, tomcat ssl, tomcat how to, tomcat6 ssl, tomcat5 ssl, tomcat4 ssl, tomcat security loophole, tomcat security weakness, tomcat security tutorial, tomcat security training

14 Comments

Leave a Reply to ah Cancel reply

Your email address will not be published. Required fields are marked *