Fixing Security Vulnerabilities
A cipher is an algorithm for performing encryption or decryption. You can disable the weak ciphers in the Tomcat server by modifying the cipher
 attribute in the SSL Connector container, which is in the catalina-server.xml
 file. Enter the ciphers that you want your server to support in a comma-separated list. By default, all ciphers, whether they are strong or weak, will be enabled. However, if you do not add the cipher
 attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server. This will enable the weak ciphers.
The steps below explain how to disable weak and enable strong ciphers in a product:
- Take a backup of
<PRODUCT_HOME>/repository/conf/tomcat/
file.catalina-server.xml
- Stop the server.
Add the
cipher
attribute to the existing configuration in thecatalina-server.xml
 file with the list of ciphers that you want your server to support as follows:ciphers="<cipher-name>,<cipher-name>"
The code below shows how a connector looks after an example configuration is done:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" bindOnInit="false" sslProtocol="TLS" maxHttpHeaderSize="8192" acceptorThreadCount="2" maxThreads="250" minSpareThreads="50" disableUploadTimeout="false" enableLookups="false" connectionUploadTimeout="120000" maxKeepAliveRequests="200" acceptCount="200" server="WSO2 Carbon Server" clientAuth="false" compression="on" scheme="https" secure="true" SSLEnabled="true" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/javascript,application/x- Â javascript,application/javascript,application/xml,text/css,application/xslt+xml, text/xsl,image/gif,image/jpg,image/jpeg" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" URIEncoding="UTF-8"/>
Save the
catalina-server.xml
file.- Restart the server.