This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Fixing Security Vulnerabilities - Carbon 4.2.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

You can disable the weak ciphers in the Tomcat server by modifying cipher attribute in SSL Connector container in the catalina-server.xml file. However, if you leave the cipher attribute out or keep it blank, all SSL ciphers by JSSE will be supported by your server; otherwise, you can enter the ciphers that you want your server to support in a comma-separated list.

To disable weak ciphers in a Carbon server:

  1. Locate the catalina-server.xml file in the <CARBON_HOME>/repository/conf/tomcat directory.
  2. Take a backup of catalina-server.xml file.
  3. Stop the Carbon server.
  4. Add the cipher attribute to the existing configuration, in the catalina-server.xml file with the list of ciphers that you want your server to support.

    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

    For example, once you have  completed the configuration your connector will look as follows:

     <Connector  protocol="org.apache.coyote.http11.Http11NioProtocol"
                    port="9443"
                    bindOnInit="false"
                    sslProtocol="TLS"
                    maxHttpHeaderSize="8192"
                    acceptorThreadCount="2"
                    maxThreads="250"
                    minSpareThreads="50"
                    disableUploadTimeout="false"
                    enableLookups="false"
                    connectionUploadTimeout="120000"
                    maxKeepAliveRequests="200"
                    acceptCount="200"
                    server="WSO2 Carbon Server"
                    clientAuth="false"
                    compression="on"
                    scheme="https"
                    secure="true"
                    SSLEnabled="true"
                    compressionMinSize="2048"
                    noCompressionUserAgents="gozilla, traviata"
                    compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"       
    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"	            keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                    keystorePass="wso2carbon" 
                    URIEncoding="UTF-8"/>


  5. Save the catalina-server.xml file.
  6. Restart the Carbon server.


  • No labels