If your website is supporting weak ciphers then there is a potential security risk, as the main reason behind supporting these ciphers is supporting old browsers but supporting old browsers can be risky idea since the internet is full of viruses/malwares for old browsers. What that means is a user with an old browser is potentially infected by a malware already.
As the latest browsers are freely downloadable its a wise thing to ask your clients to move to some latest browser like Firefox. Its wise step to remove support for weak ciphers from your web server.
Paypal.com doesn’t support old browsers any more, and many other people are also stopping support to old browsers.
In this article I am trying to cover one of the best practice of setting up SSL in Tomcat setup for disabling weak ciphers.
If you are using Tomcat 5.5 or tomcat 6 on JDK1.6 Following ciphers are enabled by default
SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
From the above list the Weak Ciphers are
SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Please follow below steps for disabling Weak ciphers on Apache Tomcat server
In order to disable weak ciphers, we need to modify the SSL Connector container attribute in server.xml file, which is located in
${CATALINA_HOME}/conf/server.xml
1. Take a backup of server.xml file.
2. Add below values to the existing config.
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
For Example:
acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="MyJeyFile.key" keystorePass="Poodle" truststoreFile="MyTrustStore.truststore" truststorePass="MyPass"/>
3. Restart tomcat and new security settings should be in effect.
Does my Tomcat Version support these security config?
These security config are part of Tomcat since version 4.1.32, so if you are using Tomcat version before 4.1.32 then above config may not work. For these settings to work as expected you may need to upgrade to Tomcat 4.1.32 or later.
Check Apache Tomcat 4 – Security Upgrade notes section “Fixed in Apache Tomcat 4.1.32” for details of this issue.
Let us know if you are facing any issues in configuration of tomcat.