Chrome indicates that Tomcat SSL URL allows an RSA (an obsolete key exchange)


Article ID: 125294


Updated On:


SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager


Is there a way to enforce Strong Protocol + Strong Key Exchange + Strong Ciphers ?


Component: MA4SDM


1) Ensure CA SDM is configured to use latest version of 32bit Java 8 first.  This invalidated Obsolete Key Exchanges and enforces the usage of Strong Key Exchanges
Note: 17.1 out of the box has JRE 1.8.0_112  and somehow this build does not enforce strong key exchange.   That's why upgrading to latest Java 8 build would help here

2) Ensure the sslProtocol="TLSv1.2" is used for the Protocol so only TLS v1.2 is enforced

3) Disable any weak ciphers by using:  ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH" 

A sample connector would be like this:

<Connector SSLEnabled="true" ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH" 
clientAuth="false" enableLookups="false" keystoreFile="C:\certs\Keystore.PFX" 
keystoreType="pkcs12" keystorePass="changeit" maxThreads="200" port="8443" 
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
secure="true" sslProtocol="TLSv1.2" />

NOTE:  It is possible to use explicit ciphers too instead of ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"   

An example for such (to have more granular control) would be:


Additional Information

Refer to Apache Tomcat documentation for more details: