Chrome indicates that Tomcat SSL URL allows an RSA (an obsolete key exchange)
book
Article ID: 125294
calendar_today
Updated On:
Products
SUPPORT AUTOMATION- SERVERCA Service Desk Manager - Unified Self ServiceKNOWLEDGE TOOLSCA Service Management - Asset Portfolio ManagementCA Service Management - Service Desk Manager
Issue/Introduction
Is there a way to enforce Strong Protocol + Strong Key Exchange + Strong Ciphers ?
Environment
Release: Component: MA4SDM
Resolution
1) Ensure CA SDM is configured to use latest version of 32bit Java 8 first. This invalidated Obsolete Key Exchanges and enforces the usage of Strong Key Exchanges Note: 17.1 out of the box has JRE 1.8.0_112 and somehow this build does not enforce strong key exchange. That's why upgrading to latest Java 8 build would help here
2) Ensure the sslProtocol="TLSv1.2" is used for the Protocol so only TLS v1.2 is enforced
3) Disable any weak ciphers by using: ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
NOTE: It is possible to use explicit ciphers too instead of ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
An example for such (to have more granular control) would be: useServerCipherSuitesOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
Additional Information
Refer to Apache Tomcat documentation for more details: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html