If your website is supporting weak ciphers then there is a potential security risk, as the main reason behind supporting these ciphers is supporting old browsers but supporting old browsers can be risky idea since the internet is full of viruses/malwares for old browsers. What that means is a user with an old browser is potentially infected by a malware already.
As the latest browsers are freely downloadable its a wise thing to ask your clients to move to some latest browser like Firefox. Its wise step to remove support for weak ciphers from your web server.
Paypal.com doesn’t support old browsers any more, and many other people are also stopping support to old browsers.
In this article I am trying to cover one of the best practice of setting up SSL in Tomcat setup for disabling weak ciphers.
If you are using Tomcat 5.5 or tomcat 6 on JDK1.6 Following ciphers are enabled by default
SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
From the above list the Weak Ciphers are
SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Please follow below steps for disabling Weak ciphers on Apache Tomcat server
In order to disable weak ciphers, we need to modify the SSL Connector container attribute in server.xml file, which is located in
${CATALINA_HOME}/conf/server.xml
1. Take a backup of server.xml file.
2. Add below values to the existing config.
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
For Example:
acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="MyJeyFile.key" keystorePass="Poodle" truststoreFile="MyTrustStore.truststore" truststorePass="MyPass"/>
3. Restart tomcat and new security settings should be in effect.
Does my Tomcat Version support these security config?
These security config are part of Tomcat since version 4.1.32, so if you are using Tomcat version before 4.1.32 then above config may not work. For these settings to work as expected you may need to upgrade to Tomcat 4.1.32 or later.
Check Apache Tomcat 4 – Security Upgrade notes section “Fixed in Apache Tomcat 4.1.32” for details of this issue.
Let us know if you are facing any issues in configuration of tomcat.
Why this setting not disabled in Tomcat by default? I guess it should be.
Tomcat is supporting these weak cyphers from long time and they have a made it configurable so that people can block if they need to. Ideally you would not want these ciphers to be blocked unless you are really concerned about security of your site.
I made similuar modification for Tomcat 4.1.29, but it doesn't work. Can anybody comment more on what to do to remove weak ciphers for Tomcat 4.1.29 and Java 1.6.0.04
Can you please post your config file please? I can look into it and let you know.
Do you have a valid certificate installed on Tomcat? Let me know if you see some errors in the tomcat server log file.
The tomcat developers integrated the coyote connector from tomcat 5.5.x in the tomcat 4.1.32 branch, which allowed the full range of protocol configuration options available in tomcat 5.5 to become available in tomcat 4.1. 'ciphers' will not work in anything below tomcat 4.1.32
@6p01156fbc6fe6970c – Thanks for the help.
@ah – Is there any way you can upgrade to a later version of tomcat?
Check Tomcat 4 – Security Upgrade notes. Check the section "Fixed in Apache Tomcat 4.1.32" for details of this issue.
There's an EXTREMELY irritating floating box with Like, Tweet, +1 and Share button on the middle of your page, in front of the text I'm trying to read. Can you do something about that?
Captain – Thanks for your feedback. Let me fix that. This was part of new design and the add this share toolbar is kinda irritating to me as well. I am going to try some better share links instead. Bear with me for some time will surely fix it.
Just changed the share mechanism, This is not the best either. However it should be less irritating. I am still looking for best performance sharing options. Tried a several with no good results. Thanks for letting me know. I hope this makes it simple for you to read.
Hi Sachin FromDevI’m not a guy who knows these settings much. But our client has asked to Disable SSL weak Ciphers in Tomcat Server. We use Tomcat 6.0.29 and IIS as web server. My server.xml has two connectors IIS connects this tomcat on 8229Which connector tag should I put these setting into? Please help me. I don’t have much knowledge on this.Regards,Dev
Hi Sachin FromDevI’m not a guy who knows these settings much. But our client has asked to Disable SSL weak Ciphers in Tomcat Server. We use Tomcat 6.0.29 and IIS as web server. My server.xml has two connectors IIS connects this tomcat on 8229Which connector tag should I put these setting into? Please help me. I don’t have much knowledge on this.
thanks very much!
some times we need to disable the ssl