A cipher is an algorithm for performing encryption or decryption. You have the option of disabling the weak ciphers in the Tomcat server by modifying the SSL Connector container in the catalina-server.xml
file. Note that the ssLprotocol
attribute is set to "TLS" by default, which ensures that only the TLS and default ciphers are enabled. Also, by default, all ciphers will be enabled regardless of whether they are strong or weak. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the ciphers
attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.
To enable only the strong ciphers in a Carbon server:
- Locate the
catalina-server.xml
file in the<CARBON_HOME>/repository/conf/tomcat
directory. - Take a backup of
catalina-server.xml
file. - Stop the Carbon server.
- In the
catalina-server.xml
file, thesslProtocol
is "TLS" by default. If you want SSL ciphers to be enabled instead of TLS, change this value to "SSL":sslProtocol="SSL"
Add the
cipher
attribute to the existing configuration in thecatalina-server.xml
file by adding the list of ciphers that you want your server to support as follows:ciphers="<cipher-name>,<cipher-name>"
For example, once you have completed the configuration, your connector will look as follows:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslProtocol="TLS" maxHttpHeaderSize="8192" acceptorThreadCount="2" maxThreads="250" minSpareThreads="50" disableUploadTimeout="false" enableLookups="false" connectionUploadTimeout="120000" maxKeepAliveRequests="200" acceptCount="200" server="WSO2 Carbon Server" clientAuth="false" compression="on" scheme="https" secure="true" SSLEnabled="true" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/javascript,application/x- javascript,application/javascript,application/xml,text/css,application/xslt+xml, text/xsl,image/gif,image/jpg,image/jpeg" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" URIEncoding="UTF-8"/>
- Save the
catalina-server.xml
file. - Restart the Carbon server.