The transport level security protocol of the Tomcat server is configured in the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file. Note that the
sslProtocol attribute is set to TLS (Transport Layer Security) by default.
See the following topics for configuration:
Disabling SSL version 3
It is necessary to disable SSL version 3 in WSO2 products because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS protocol. This forces the server to connect via SSL 3.0. You can mitigate the effect of this bug by disabling SSL version 3 protocol in your server.
Follow the steps below to disable SSL 3.0 support.
- Make a backup of the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile and stop the server.
- Find the connector configuration that is corresponding to TLS (usually, this connector has the port set to 9443 and the
If you are using JDK 1.6, remove the
sslProtocol="TLS"attribute from the configuration and replace it with
sslEnabledProtocols="TLSv1"as shown below.
If you are using JDK 1.7, remove the
sslProtocol="TLS"attribute from the above configuration and replace it with
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"as shown below.
- Start the server.
To test if SSL version 3 is disabled:
Execute the following command to test the transport:
The output of the command before and after disabling SSL version 3 is shown below.
Before SSL version 3 is disabled:
After SSL version 3 is disabled:
The TLSv1 protocol used in the
catalina-server.xmlfile can sometimes create the following security alert when the client is run:
However, it is still recommended to use the TLSv1 protocol as it is possible to overcome this vulnerability from the client side.
Disabling the weak ciphers
A cipher is an algorithm for performing encryption or decryption. When the
sslProtocol is set to TLS, only the TLS and default ciphers are enabled. However, the strength of the ciphers will not be considered when they are enabled. Therefore, to disable the weak ciphers, you enter only the ciphers that you want the server to support in a comma-separated list in the
ciphers attribute. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server. This will enable the weak ciphers.
Disabling weak ciphers will protect your system for security vulnerabilities such as the 'Logjam' attack.
- Make a backup of the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xmlfile and stop the server (same as for disabling SSL version 3).
cipherattribute to the existing configuration in the
catalina-server.xmlfile by adding the list of ciphers that you want your server to support as follows:
Start the server.