Configuring Transport Level Security
The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml
 file. Note that the ssLprotocol
 attribute is set to "TLS" by default.Â
See the following topics for detailed configuration options:
Disable SSL on Carbon server
It is necessary to disable SSL in Carbon servers because of a bug (Poodle Attack) in the SSL protocol that could expose critical data encrypted between clients and servers. The Poodle Attack makes the system vulnerable by telling the client that the server does not support the more secure TLS (Transport Layer Security) protocol, and thereby forces it to connect via SSL. The effect of this bug can be mitigated by disabling SSL protocol for your server.
Follow the steps given below to disable SSL support on WSO2 Carbon based servers.
- Open theÂ
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
 file. - Make a backup of theÂ
catalina-server.xml
 file and stop the Carbon server. - Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and theÂ
sslProtocol
 as TLS).If you are using JDK 1.6, remove theÂ
sslProtocol="TLS"
 attribute from the configuration and replace it withÂsslEnabledProtocols="TLSv1"
 as shown below.<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1"
 If you are using JDK 1.7, remove theÂ
sslProtocol="TLS"
 attribute from the above configuration and replace it withÂsslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
 as shown below.<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"Â
Start the server.
In some Carbon products, such as WSO2 ESB and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL version 3 in such products, the
axis2.xml
file stored in the<PRODUCT_HOME>/repository/conf/axis2/
 directory should also be configured.
To test if SSL is disabled:
- DownloadÂ
TestSSLServer.jar
 from here. Execute the following command to test the transport:
java -jar TestSSLServer.jar localhost 9443
The output of the command before and after disabling SSL is shown below.
Before SSL is disabled:Supported versions: SSLv3 TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem)
After SSL is disabled:
Supported versions: TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.0 RSA_EXPORT_WITH_RC4_40_MD5 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_EXPORT_WITH_DES40_CBC_SHA RSA_WITH_DES_CBC_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_EXPORT_WITH_DES40_CBC_SHA DHE_RSA_WITH_DES_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA
Disable weak ciphers in Carbon server
A cipher is an algorithm for performing encryption or decryption. When the sslprotocol
 is set to "TLS", only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the ciphers
 attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.
- Go to theÂ
catalina-server.xml
 file in theÂ<PRODUCT_HOME>/repository/conf/tomcatÂ
directory. - Make a backup of theÂ
catalina-server.xml
 file and stop the Carbon server. Add theÂ
cipher
 attribute to the existing configuration in theÂcatalina-server.xml
 file by adding the list of ciphers that you want your server to support as follows:Âciphers="<cipher-name>,<cipher-name>"
.ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
- Start the server.