The transport level security protocol of the Tomcat server is configured in the
<PRODUCT_HOME>/conf/tomcat/catalina-server.xml file. Note that the ss
Lprotocol attribute is set to "TLS" by default.
See the following topics for detailed configuration options:
Disable SSL version 3 for Application Server
It is necessary to disable SSL version 3 in Carbon servers because of a bug (Poodle Attack) in the SSL version 3 protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and thereby forces it to connect via SSL 3.0. The effect of this bug can be mitigated by disabling SSL version 3 protocol for your server.
Follow the steps given below to disable SSL 3.0 support on Application Server.
- Open the
- Take a backup of the
catalina-server.xmlfile and stop the Carbon server.
- Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the
If you are using JDK 1.6, remove the
sslProtocol="TLS"attribute from the configuration and replace it with
sslEnabledProtocols="TLSv1"as shown below.
If you are using JDK 1.7, remove the
sslProtocol="TLS"attribute from the above configuration and replace it with
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"as shown below.
- Start the server.
To test if SSL version 3 is disabled:
Execute the following command to test the transport:
The output of the command before and after disabling SSL version 3 is shown below.
Before SSL version 3 is disabled:
After SSL version 3 is disabled:
Disable weak ciphers in Carbon server
A cipher is an algorithm for performing encryption or decryption. When the
sslprotocol is set to "TLS", only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the
ciphers attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.
- Go to the
catalina-server.xmlfile in the
- Take a backup of the
catalina-server.xmlfile and stop the Carbon server (same as for disabling SSL version 3).
cipherattribute to the existing configuration in the
catalina-server.xmlfile by adding the list of ciphers that you want your server to support as follows:
Start the server.