This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Page Comparison - Configuring Transport Level Security (v.20 vs v.21) - Carbon 4.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A cipher is an algorithm for performing encryption or decryption. You have the option of disabling the weak ciphers in the Tomcat server by modifying the SSL Connector container in the The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml file file.   Note that the ssLprotocol attribute  attribute is set to "TLS" by default, which ensures that only the TLS and default ciphers are enabled. Also, by default, all ciphers will be enabled regardless of whether they are strong or weak. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the ciphers attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

To enable only the strong ciphers in a Carbon server:

...



See the following topics for detailed configuration options:

Table of Contents
maxLevel3
minLevel3

Disable SSL version 3 for Application Server

Info

It is necessary to disable SSL version 3 in Carbon servers because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and thereby forces it to connect via SSL 3.0. The effect of this bug can be mitigated by disabling SSL version 3 protocol for your server.

Follow the steps given below to disable SSL 3.0 support on Application Server.

  1. Open the <PRODUCT_HOME>/repository/conf/tomcat directory.catalina-server.xml file. 
  2. Take a backup of the catalina-server.xml file.Stop  file and stop the Carbon server.
  3. Carbon server uses TLS as the transport security protocol by default. In the catalina-server.xml file, you can change the sslProtocol attribute value to "SSL" if you want SSL to be enabled instead of TLS:
    sslProtocol="SSL"
  4. Add the cipher attribute to the existing configuration in the catalina-server.xml file by adding the list of ciphers that you want your server to support as follows:

    ciphers="<cipher-name>,<cipher-name>"

    For example, once you have completed the configuration, your connector will look as follows:

    Code Block Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the sslProtocol as TLS).
    • If you are using JDK 1.6, remove the sslProtocol="TLS" attribute from the configuration and replace it with sslEnabledProtocols="TLSv1" as shown below.

      Code Block
      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                      port="9443"
                      bindOnInit="false"
                      
    sslProtocol
    • sslEnabledProtocols="
    TLS" maxHttpHeaderSize="8192" acceptorThreadCount="2" maxThreads="250
    • TLSv1"
    •  If you are using JDK 1.7, remove the sslProtocol="TLS" attribute from the above configuration and replace it with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" as shown below.

      Code Block
      <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                      
    minSpareThreads
    • port="
    50
    • 9443"
                      
    disableUploadTimeout
    • bindOnInit="false"
                      
    enableLookups
    • sslEnabledProtocols="
    false" connectionUploadTimeout="120000"
    • TLSv1,TLSv1.1,TLSv1.2" 
  5. Start the server.

To test if SSL version 3 is disabled:

  1. Download TestSSLServer.jar from here.
  2. Execute the following command to test the transport:

    Code Block
    java -jar TestSSLServer.jar localhost 9443 
  3. The output of the command before and after disabling SSL version 3 is shown below.

    Before SSL version 3 is disabled:

    Code Block
    Supported versions: SSLv3 TLSv1.0
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
      SSLv3
         RSA_EXPORT_WITH_RC4_40_MD5
          maxKeepAliveRequests="200"RSA_WITH_RC4_128_MD5
         RSA_WITH_RC4_128_SHA
         RSA_EXPORT_WITH_DES40_CBC_SHA
         acceptCount="200"RSA_WITH_DES_CBC_SHA
         RSA_WITH_3DES_EDE_CBC_SHA
         DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        server="WSO2 Carbon Server" DHE_RSA_WITH_DES_CBC_SHA
         DHE_RSA_WITH_3DES_EDE_CBC_SHA
         RSA_WITH_AES_128_CBC_SHA
         clientAuth="false"DHE_RSA_WITH_AES_128_CBC_SHA
         RSA_WITH_AES_256_CBC_SHA
         DHE_RSA_WITH_AES_256_CBC_SHA
      (TLSv1.0:  compression="on"
                    scheme="https"
      idem)

    After SSL version 3 is disabled:

    Code Block
    Supported versions: TLSv1.0
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
      TLSv1.0
         RSA_EXPORT_WITH_RC4_40_MD5
         RSA_WITH_RC4_128_MD5
         RSA_WITH_RC4_128_SHA
     secure="true"    RSA_EXPORT_WITH_DES40_CBC_SHA
         RSA_WITH_DES_CBC_SHA
          SSLEnabled="true"RSA_WITH_3DES_EDE_CBC_SHA
         DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
         DHE_RSA_WITH_DES_CBC_SHA
         compressionMinSize="2048"DHE_RSA_WITH_3DES_EDE_CBC_SHA
         RSA_WITH_AES_128_CBC_SHA
           DHE_RSA_WITH_AES_128_CBC_SHA
      noCompressionUserAgents="gozilla, traviata"  RSA_WITH_AES_256_CBC_SHA
                  compressableMimeType="text/html,text/javascript,application/x-        
                    javascript,application/javascript,application/xml,text/css,application/xslt+xml,
                    text/xsl,image/gif,image/jpg,image/jpeg"
                    DHE_RSA_WITH_AES_256_CBC_SHA

Disable weak ciphers in Carbon server

A cipher is an algorithm for performing encryption or decryption. When the sslprotocol is set to "TLS", only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the ciphers attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

  1. Go to the catalina-server.xml file in the <PRODUCT_HOME>/repository/conf/tomcat directory.
  2. Take a backup of the catalina-server.xml file and stop the Carbon server (same as for disabling SSL version 3).
  3. Add the cipher attribute to the existing configuration in the catalina-server.xml file by adding the list of ciphers that you want your server to support as follows: ciphers="<cipher-name>,<cipher-name>".

    Code Block
    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
          
             TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
    
                   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
                    keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                    keystorePass="wso2carbon" 
                    URIEncoding="UTF-8"/>
  4. Save the catalina-server.xml file.
  5. Restart the Carbon

    Start the server.