The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml
file. Note that the ssLprotocol
attribute is set to "TLS" by default.
See the following topics for detailed configuration options:
...
- Open the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
file. - Make a backup of the
catalina-server.xml
file and stop the Carbon server. Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the
If you are using JDK 1.6, removesslProtocol
as TLS).Remove the
from the configuration and replace it withsslProtocol="TLS"
attributesslEnabledProtocols="TLSv1"
as shown below.
If you are using JDK 1.7, remove theCode Block <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1"
sslProtocol="TLS"
attribute from the above configurationand replace it with
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
as shown below.Code Block <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Start the server.
Note In some Carbon products, such as WSO2 ESB and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL in such products, the
axis2.xml
file stored in the<PRODUCT_HOME>/repository/conf/axis2/
directory should also be configured.
...
- Download
TestSSLServer.jar
from here. Execute the following command to test the transport:
Code Block java -jar TestSSLServer.jar localhost 9443
The output of the command before and after disabling SSL is shown below.
Before SSL is disabled:Code Block Supported versions: SSLv3 TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem)
After SSL is disabled:
Code Block Supported versions: TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA
...
- Open the
<PRODUCT_HOME>/repository/conf/tomcat/
file.catalina-server.xml
- Make a backup of the
catalina-server.xml
file and stop the WSO2 product server. Add the
cipher
attribute to the existing configuration in thecatalina-server.xml
file by adding the list of ciphers that you want your server to support as follows:ciphers="<cipher-name>,<cipher-name>"
. For example,
Code Block For Tomcat version 7.0.59 and JDK version 1.7: ciphers="SSLTLS_RSAECDHE_WITH_RC4_128_MD5,SSL_RSA_ECDSA_WITH_RC4AES_128_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHESHA256,TLS_ECDHE_RSA_WITH_3DESAES_EDE128_CBC_SHASHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHASHA256,TLS_DHEECDHE_RSAECDSA_WITH_AES_128_CBC_SHA, TLSTLS_ECDHE_RSA_WITH_AES_256128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA" For Tomcat version 7.0.59 and JDK version 1.8: ciphers="SSLTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4AES_128_MD5,SSLCBC_SHA256,TLS_DHE_RSA_WITH_RC4AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA" ,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
- Start the server.
To verify that the configurations are all set correctly, download and run the TestSSLServer.jar.
Code Block $ java -jar TestSSLServer.jar localhost 9443
- Note that in the output that you get, the section "Supported cipher suites" does not contain any export ciphers.
Firefox 39.0 onwards does not allow to access Web sites that support DHE with keys less than 1023 bits (not just DHE_EXPORT). 768/1024 bits are considered to be too small and vulnerable to attacks if the hacker has enough computing resources.
Tip |
---|
Tip: To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Downloaded them from http://www.oracle.com/technetwork/java/javase/downloads/index.html. |
Tip | ||
---|---|---|
Tip: From Java 7, you must set the
|