UIM - How to disable weak SSL or TLS protocol and weak ciphers in UMP

book

Article ID: 46324

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

How to disable the weak SSL/TLS protocol and weak ciphers in UMP? 



Environment

UIM 8.4/UIM 8.4 SP2/UIM 8.51
UIM 9.02 -  Please note with this version, you may need to remove the 'https_ciphers' key in the <setup> section to complete this process.

Resolution

This can be done by setting the  protocols and ciphers in the <https_connector> tag of wasp.cfg. This mechanism can still be used with the newer version of the embedded Tomcat. 

1)Example  to successfully change wasp’s SSL behavior:


<https_connector>
URIEncoding = UTF-8
sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2
ciphers = TLS_RSA_WITH_AES_128_CBC_SHA
</https_connector>


2) Example to disable weak TLS protocols :




<https_connector>
        URIEncoding = UTF-8
        sslEnabledProtocols = TLSv1.2
         ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
</https_connector>


 
Note :Any ciphers specified in the <https_connector> tag will override values set with the https_ciphers key. This https_ciphers key is seen in UIM 8.4 SP1 and later  in wasp.cfg so to eliminate any possible confusion please specify them in one location or the other.

Please watch out for protocol/cipher mismatches which the browser will warn about
 

Additional Information

Descriptions of these attributes can be found in the Tomcat 7.0 documentation:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

(Optional, 8.51 or Later) Change the HTTPS Ciphers