Page Comparison

The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml file. Note that the ssLprotocol attribute is set to "TLS" by default. 
See the following topics for detailed configuration options:

...

1. Open the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.
2. Make a backup of the catalina-server.xml  file and stop the WSO2 product server.

3. Add the cipher  attribute to the existing configuration in the catalina-server.xml  file by adding the list of ciphers that you want your server to support as follows: ciphers="<cipher-name>,<cipher-name>". For example,
   

   Code Block

   For Tomcat version 7.0.59 and JDK version 1.7: ciphers="SSLTLS_RSA_WITH_RC4_128_MD5,SSL_RSAECDHE_ECDSA_WITH_RC4AES_128_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHESHA256,TLS_ECDHE_RSA_WITH_3DESAES_EDE128_CBC_SHASHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHASHA256,TLS_DHEECDHE_RSAECDSA_WITH_AES_128_CBC_SHA, TLSTLS_ECDHE_RSA_WITH_AES_256128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA" For Tomcat version 7.0.59 and JDK version 1.8: ciphers="SSLTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4AES_128_CBC_MD5SHA256,SSLTLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_RC4AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA" ,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

4. Start the server.

5. To verify that the configurations are all set correctly, download and run the TestSSLServer.jar.
   

   Code Block
   $ java -jar TestSSLServer.jar localhost 9443

6. Note that in the output that you get, the section "Supported cipher suites" does not contain any export ciphers.

Firefox 39.0 onwards does not allow to access Web sites that support DHE with keys less than 1023 bits (not just DHE_EXPORT). 768/1024 bits are considered to be too small and vulnerable to attacks if the hacker has enough computing resources.