This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Fixing Security Vulnerabilities

Owned by Former user (Deleted)
Last updated: Aug 22, 2013Version comment
3 min read

A cipher is an algorithm for performing encryption or decryption. You can disable the weak ciphers in the Tomcat server, by modifying the cipher attribute in the SSL Connector container, which is in the catalina-server.xml file. This can be done by entering the ciphers that you want your server to support in a comma-separated list. By default, all ciphers whether they are strong or weak will be enabled. However, if you do not add the cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, and thereby enable your weak ciphers.

To disable weak and enable strong ciphers in a Carbon server:

  1. Locate the catalina-server.xml file in the <CARBON_HOME>/repository/conf/tomcat directory.
  2. Take a backup of catalina-server.xml file.
  3. Stop the Carbon server.

  4. Add the cipher attribute to the existing configuration, in the catalina-server.xml file with the list of ciphers that you want your server to support as follows:

    ciphers="<cipher-name>,<cipher-name>"

    For example, once you have completed the configuration your connector will look as follows:

     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="9443"
                bindOnInit="false"
                sslProtocol="TLS"
                maxHttpHeaderSize="8192"
                acceptorThreadCount="2"
                maxThreads="250"
                minSpareThreads="50"
                disableUploadTimeout="false"
                enableLookups="false"
                connectionUploadTimeout="120000"
                maxKeepAliveRequests="200"
                acceptCount="200"
                server="WSO2 Carbon Server"
                clientAuth="false"
                compression="on"
                scheme="https"
                secure="true"
                SSLEnabled="true"
                compressionMinSize="2048"
                noCompressionUserAgents="gozilla, traviata"
                compressableMimeType="text/html,text/javascript,application/x-        
                javascript,application/javascript,application/xml,text/css,application/xslt+xml,
                text/xsl,image/gif,image/jpg,image/jpeg"
                ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
                TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
                keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                keystorePass="wso2carbon" 
                URIEncoding="UTF-8"/>
  5. Save the catalina-server.xml file.
  6. Restart the Carbon server.