Reputation: 39
Tomcat Apache Web Server still using ciphers with medium strength (<112 bits) even while configuring ciphers in connector
We have configured SSL in Apache Tomcat 6.0.20 at 8443 port#.
We have tenable Nessus tool which scans for vulnerabilities. It reported the web server has a "Medium Strength ciphers supported".
We went through Tomcat Documentation. We can configure the list of ciphers in ciphers attribute in connector element.
We configured from IBMJSSE2 Security Provider as the cipher list
For ex: SSL_DHE_RSA_WITH_AES_128_CBC_SHA
But, still the same vulnerability is getting listed and the above cipher is not getting selected in "Server Hello" SSL message. Instead it is selecting a medium level cipher "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" only.
Do we know why this behavior?
Some Extra details:
Tomcat Version: 6.0.20 Java version: J2RE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr4ifx-20090409_33254
IBM documentation of List of JSSE ciphers supported in Java6
Apache Tomcat 6.0 Documentation on how to configure SSL https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
server.xml ssl settings
<Connector port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" ciphers="TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" >
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 58B59B0B19255900580A16786D9F040BE19D236A6C16B1A53C281E6DDE072BDF
Session-ID-ctx:
Master-Key: F037145E80507808391326B77F3A175015FAD3C356FDD350ADC8FA69FCB7CEDC0443F3AF10BDA71544806F010D1B3A7C
Key-Arg : None
Start Time: 1488296715
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
Upvotes: 1
Views: 2332
Answers (1)
Reputation: 1908
You need to update the tomcat SSL settings to update the sslProtocol to TLS from SSL (default)
for tomcat versions < 6.0.38
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
for tomcat versions >= 6.0.38
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Read more here
Additional Step :
Download and update JCE policy jars in your JVM, since tomcat refers to JCE for cipher suites
Upvotes: 0
Related Questions
- Tomcat 8 ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- tomcat 7 + ssl not working - ERR_SSL_VERSION_OR_CIPHER_MISMATCH
- Java SSL: client handshake failure and server no cipher suites in common
- How to solve "no cipher suites in common" during SSL Handshake?
- Tomcat: TLSv1.2 with strong ciphers not working
- How to control the SSL ciphers available to Tomcat
- Disabling weak Ciphers for Tomcat 5.5.27?
- Which SSL Ciphers Should I Remove in Tomcat for the Poodle (SSL3) Vulnerability
- SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server
- Trying to understand Tomcat 7 SSL Ciphers