This documentation is for WSO2 Enterprise Service Bus version 4.9.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

The transport level security protocol of the Tomcat server is configured in the <ESB_HOME>/repository/conf/tomcat/catalina-server.xml file. Note that the sslProtocol attribute is set to TLS (Transport Layer Security) by default.

See the following topics for configuration:

Disabling SSL version 3

It is necessary to disable SSL version 3 in WSO2 products because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS protocol. This forces the server to connect via SSL 3.0. You can mitigate the effect of this bug by disabling SSL version 3 protocol in your server.

Follow the steps below to disable SSL 3.0 support.

  1. Make a backup of the <ESB_HOME>/repository/conf/tomcat/catalina-server.xml file and stop the server.
  2. Find the connector configuration that is corresponding to TLS (usually, this connector has the port set to 9443 and the sslProtocol as TLS).
    • If you are using JDK 1.6, remove the sslProtocol="TLS" attribute from the configuration and replace it with sslEnabledProtocols="TLSv1" as shown below.

      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                      port="9443"
                      bindOnInit="false"
                      sslEnabledProtocols="TLSv1"
    •  If you are using JDK 1.7, remove the sslProtocol="TLS" attribute from the above configuration and replace it with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" as shown below.

      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                      port="9443"
                      bindOnInit="false"
                      sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
  3. Start the server.

To test if SSL version 3 is disabled:

  1. Download TestSSLServer.jar from here.
  2. Execute the following command to test the transport:

    java -jar TestSSLServer.jar localhost 9443 
  3. The output of the command before and after disabling SSL version 3 is shown below.

    Before SSL version 3 is disabled:

    Supported versions: SSLv3 TLSv1.0
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
      SSLv3
         RSA_EXPORT_WITH_RC4_40_MD5
         RSA_WITH_RC4_128_MD5
         RSA_WITH_RC4_128_SHA
         RSA_EXPORT_WITH_DES40_CBC_SHA
         RSA_WITH_DES_CBC_SHA
         RSA_WITH_3DES_EDE_CBC_SHA
         DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
         DHE_RSA_WITH_DES_CBC_SHA
         DHE_RSA_WITH_3DES_EDE_CBC_SHA
         RSA_WITH_AES_128_CBC_SHA
         DHE_RSA_WITH_AES_128_CBC_SHA
         RSA_WITH_AES_256_CBC_SHA
         DHE_RSA_WITH_AES_256_CBC_SHA
      (TLSv1.0: idem)

    After SSL version 3 is disabled:

    Supported versions: TLSv1.0
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
      TLSv1.0
         RSA_EXPORT_WITH_RC4_40_MD5
         RSA_WITH_RC4_128_MD5
         RSA_WITH_RC4_128_SHA
         RSA_EXPORT_WITH_DES40_CBC_SHA
         RSA_WITH_DES_CBC_SHA
         RSA_WITH_3DES_EDE_CBC_SHA
         DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
         DHE_RSA_WITH_DES_CBC_SHA
         DHE_RSA_WITH_3DES_EDE_CBC_SHA
         RSA_WITH_AES_128_CBC_SHA
         DHE_RSA_WITH_AES_128_CBC_SHA
         RSA_WITH_AES_256_CBC_SHA
         DHE_RSA_WITH_AES_256_CBC_SHA

Disabling the weak ciphers

A cipher is an algorithm for performing encryption or decryption. When the sslProtocol is set to TLS, only the TLS and default ciphers are enabled. However, the strength of the ciphers will not be considered when they are enabled. Therefore, to disable the weak ciphers, you enter only the ciphers that you want the server to support in a comma-separated list in the ciphers attribute. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server. This will enable the weak ciphers.

  1. Make a backup of the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file and stop the server (same as for disabling SSL version 3).
  2. Add the cipher attribute to the existing configuration in the catalina-server.xml file by adding the list of ciphers that you want your server to support as follows: ciphers="<cipher-name>,<cipher-name>".

    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
             TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
             SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
  3. Start the server.

Configuring the PassThrough transport

If you have enabled the PassThrough transport, do the following:

  1. Stop the server.

  2. Open the <ESB_HOME>/repository/conf/axis2/axis2.xml file and based on the JDK version you are using add the specified parameter under the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> element as well as under the <transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> element.

    • If you are using JDK 1.6, add the following parameter:

      <parameter name="HttpsProtocols">TLSv1</parameter> 
    • If you are using JDK 1.7, add the following parameter:

      <parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLSv1.2</parameter> 
  3. Start the server.

  4. Test the pass-through transport using the following command with the corresponding port:

    $ java -jar TestSSLServer.jar localhost 8243
  • No labels