How to disable 3DES and weak ciphers in Tomcat 8.5.15

Discussion in 'Apache' started by platetripn, Dec 21, 2018.

0
  1. #1
    Hello,

    I am being pinged by our security folks on scans stating that we still use 3DES ciphers. This system is running on a Windows Server. I have tried several different ways to add ciphers and lists of weak ciphers but when I run a scan I still show them being weak. I want to know where in the connector settings do I put the ciphers and what other options are needed to block weak ciphers? I appreciate any help you can give. Here is a copy of our scrubbed server.xml

    <?xml version="1.0" encoding="UTF-8"?>

    <Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
    <!-- Security listener. Documentation at /docs/config/listeners.html
    <Listener className="org.apache.catalina.security.SecurityListener" />
    -->
    <!--APR library loader. Documentation at /docs/apr.html -->
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
    <!-- Prevent memory leaks due to use of particular java/javax APIs-->
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

    <!-- A "Service" is a collection of one or more "Connectors" that share
    a single "Container" Note: A "Service" is not itself a "Container",
    so you may not define subcomponents such as "Valves" at this level.
    Documentation at /docs/config/service.html
    -->
    <Service name="XXXXXXXXXXXXXXXXXXXXXXXXX">
    <Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
    port="80"
    protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="443" />
    <Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
    port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="800"
    minSpareThreads="80"
    maxSpareThreads="160"
    SSLEnabled="true"
    secure="true"
    scheme="https"
    compression="off"
    compressableMimeType="text/html,text/xml,text/plain">
    <!-- Authentication settings (below) -->
    <SSLHostConfig disableSessionTickets="true">
    <!-- SSL certificate settings (below) -->
    <Certificate certificateKeystoreFile="XXXXXXXXXXXXXXXXXXXXXXXXX"
    certificateKeystorePassword="XXXXXXXXXXXXXXXXXXXXXXXXX"
    certificateKeyAlias="XXXXXXXXXXXXXXXXXXXXXXXXX"
    type="RSA" />
    </SSLHostConfig>
    </Connector>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

    <Engine name="Catalina" defaultHost="XXXXXXXXXXXXXXXXXXXXXXXXX">
    <Host name="XXXXXXXXXXXXXXXXXXXXXXXXX"
    appBase="XXXXXXXXXXXXXXXXXXXXXXXXX"
    unpackWARs="true"
    autoDeploy="true">
    <Valve className="org.apache.catalina.valves.AccessLogValve"
    directory="logs"
    prefix="XXXXXXXXXXXXXXXXXXXXXXXXX"
    suffix=".txt"
    pattern="common" />
    <Context path="/XXXXXXXXXXXXXXXXXXXXXXXXX"
    docBase="XXXXXXXXXXXXXXXXXXXXXXXXX" />
    </Host>
    </Engine>
    </Service>
    </Server>
     
    platetripn, Dec 21, 2018 IP
  2. RoseHosting

    RoseHosting Well-Known Member

    Messages:
    230
    Likes Received:
    11
    Best Answers:
    11
    Trophy Points:
    138
    #2
    RoseHosting, Dec 24, 2018 IP
  3. platetripn

    platetripn Member

    Messages:
    27
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    33
    #3
    I have looked at this link before. I am running Tomcat 8.5.15 and Java 8. If I input that list of ciphers does it mean that those are the stronger ciphers or a list of the weak ciphers that the site shouldn't use?

    There needs to be a much easier way to harden a site in Tomcat
     
    platetripn, Dec 27, 2018 IP