Chrome indicates that Tomcat SSL URL allows an RSA (an obsolete key exchange)
Article ID: 125294
Updated On:
Products
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
KNOWLEDGE TOOLS
CA Service Management - Asset Portfolio Management
CA Service Management - Service Desk Manager
Issue/Introduction
Is there a way to enforce Strong Protocol + Strong Key Exchange + Strong Ciphers ?
Environment
Release:
Component: MA4SDM
Component: MA4SDM
Resolution
1) Ensure CA SDM is configured to use latest version of 32bit Java 8 first. This invalidated Obsolete Key Exchanges and enforces the usage of Strong Key Exchanges
Note: 17.1 out of the box has JRE 1.8.0_112 and somehow this build does not enforce strong key exchange. That's why upgrading to latest Java 8 build would help here
2) Ensure the sslProtocol="TLSv1.2" is used for the Protocol so only TLS v1.2 is enforced
3) Disable any weak ciphers by using: ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
A sample connector would be like this:
<Connector SSLEnabled="true" ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
clientAuth="false" enableLookups="false" keystoreFile="C:\certs\Keystore.PFX"
keystoreType="pkcs12" keystorePass="changeit" maxThreads="200" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLSv1.2" />
NOTE: It is possible to use explicit ciphers too instead of ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
An example for such (to have more granular control) would be:
useServerCipherSuitesOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
Note: 17.1 out of the box has JRE 1.8.0_112 and somehow this build does not enforce strong key exchange. That's why upgrading to latest Java 8 build would help here
2) Ensure the sslProtocol="TLSv1.2" is used for the Protocol so only TLS v1.2 is enforced
3) Disable any weak ciphers by using: ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
A sample connector would be like this:
<Connector SSLEnabled="true" ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
clientAuth="false" enableLookups="false" keystoreFile="C:\certs\Keystore.PFX"
keystoreType="pkcs12" keystorePass="changeit" maxThreads="200" port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLSv1.2" />
NOTE: It is possible to use explicit ciphers too instead of ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"
An example for such (to have more granular control) would be:
useServerCipherSuitesOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
Additional Information
Refer to Apache Tomcat documentation for more details: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
Feedback
Powered by
