logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to disable weak ciphers in Apache Tomcat 8.5.15
Author
new2apache



Joined: 21 Dec 2018
Posts: 2

PostPosted: Fri 21 Dec '18 16:09    Post subject: How to disable weak ciphers in Apache Tomcat 8.5.15 Reply with quote

Hello,

I am being pinged by our security folks on scans stating that we still use 3DES ciphers. This system is running on a Windows Server. I have tried several different ways to add ciphers and lists of weak ciphers but when I run a scan I still show them being weak. I want to know where in the connector settings do I put the ciphers and what other options are needed to block weak ciphers? I appreciate any help you can give. Here is a copy of our scrubbed server.xml

<?xml version="1.0" encoding="UTF-8"?>

<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="XXXXXXXXXXXXXXXXXXXXXXXXX">
<Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
port="80"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="800"
minSpareThreads="80"
maxSpareThreads="160"
SSLEnabled="true"
secure="true"
scheme="https"
compression="off"
compressableMimeType="text/html,text/xml,text/plain">
<!-- Authentication settings (below) -->
<SSLHostConfig disableSessionTickets="true">
<!-- SSL certificate settings (below) -->
<Certificate certificateKeystoreFile="XXXXXXXXXXXXXXXXXXXXXXXXX"
certificateKeystorePassword="XXXXXXXXXXXXXXXXXXXXXXXXX"
certificateKeyAlias="XXXXXXXXXXXXXXXXXXXXXXXXX"
type="RSA" />
</SSLHostConfig>
</Connector>

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

<Engine name="Catalina" defaultHost="XXXXXXXXXXXXXXXXXXXXXXXXX">
<Host name="XXXXXXXXXXXXXXXXXXXXXXXXX"
appBase="XXXXXXXXXXXXXXXXXXXXXXXXX"
unpackWARs="true"
autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="XXXXXXXXXXXXXXXXXXXXXXXXX"
suffix=".txt"
pattern="common" />
<Context path="/XXXXXXXXXXXXXXXXXXXXXXXXX"
docBase="XXXXXXXXXXXXXXXXXXXXXXXXX" />
</Host>
</Engine>
</Service>
</Server>
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sat 22 Dec '18 11:24    Post subject: Reply with quote

On my test-server I run this configuration which might be used as a blueprint for your configuration:

Code:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig scheme="https"
        secure="true"
        clientAuth="false"
        sslProtocol="TLSv1.2"
        sslEnabledProtocols="TLSv1.2"
        sslVerifyClient="optional"
        useServerCipherSuitesOrder="true"
        ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_
WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA">
            <Certificate certificateKeystoreFile="conf/lcorei5.jks"
                         certificateKeystorePassword="*****"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
Back to top
new2apache



Joined: 21 Dec 2018
Posts: 2

PostPosted: Fri 28 Dec '18 0:15    Post subject: Still not working Reply with quote

From what I found most of those commands were deprecated after 5.5 I believe. I translated those into 8.5 but am still having issues. Are the ciphers you are using the strong ciphers or a list of all weak and strong?
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Fri 28 Dec '18 21:07    Post subject: Reply with quote

Stripped my config down to this (still working Very Happy) version - now tomcat is not complaining about deprecated options/settings anymore:
Code:
   <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
              port="8443" maxThreads="150"
              scheme="https" secure="true" SSLEnabled="true"
              keystoreFile="conf/lcorei5.jks"
              keystorePass="***"
              clientAuth="false"
              sslProtocol="TLSv1.2"
              sslEnabledProtocols="TLSv1.2"
              useServerCipherSuitesOrder="true"
              ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,[.....]">
    </Connector>


To use only high-secure-ciphers you may visit https://wiki.mozilla.org/Security/Server_Side_TLS
But keep in mind that you might have some old clients that cannot use the most modern ciphers. Sad
Back to top


Reply to topic   Topic: How to disable weak ciphers in Apache Tomcat 8.5.15 View previous topic :: View next topic
Post new topic   Forum Index -> Apache