1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to disable 3DES and weak ciphers in Tomcat 8.5.15

Discussion in 'Apache' started by platetripn, Dec 21, 2018.

  1. #1
    Hello,

    I am being pinged by our security folks on scans stating that we still use 3DES ciphers. This system is running on a Windows Server. I have tried several different ways to add ciphers and lists of weak ciphers but when I run a scan I still show them being weak. I want to know where in the connector settings do I put the ciphers and what other options are needed to block weak ciphers? I appreciate any help you can give. Here is a copy of our scrubbed server.xml

    <?xml version="1.0" encoding="UTF-8"?>

    <Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
    <!-- Security listener. Documentation at /docs/config/listeners.html
    <Listener className="org.apache.catalina.security.SecurityListener" />
    -->
    <!--APR library loader. Documentation at /docs/apr.html -->
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
    <!-- Prevent memory leaks due to use of particular java/javax APIs-->
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

    <!-- A "Service" is a collection of one or more "Connectors" that share
    a single "Container" Note: A "Service" is not itself a "Container",
    so you may not define subcomponents such as "Valves" at this level.
    Documentation at /docs/config/service.html
    -->
    <Service name="XXXXXXXXXXXXXXXXXXXXXXXXX">
    <Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
    port="80"
    protocol="HTTP/1.1"
    connectionTimeout="20000"
    redirectPort="443" />
    <Connector address="XXXXXXXXXXXXXXXXXXXXXXXXX"
    port="443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="800"
    minSpareThreads="80"
    maxSpareThreads="160"
    SSLEnabled="true"
    secure="true"
    scheme="https"
    compression="off"
    compressableMimeType="text/html,text/xml,text/plain">
    <!-- Authentication settings (below) -->
    <SSLHostConfig disableSessionTickets="true">
    <!-- SSL certificate settings (below) -->
    <Certificate certificateKeystoreFile="XXXXXXXXXXXXXXXXXXXXXXXXX"
    certificateKeystorePassword="XXXXXXXXXXXXXXXXXXXXXXXXX"
    certificateKeyAlias="XXXXXXXXXXXXXXXXXXXXXXXXX"
    type="RSA" />
    </SSLHostConfig>
    </Connector>

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

    <Engine name="Catalina" defaultHost="XXXXXXXXXXXXXXXXXXXXXXXXX">
    <Host name="XXXXXXXXXXXXXXXXXXXXXXXXX"
    appBase="XXXXXXXXXXXXXXXXXXXXXXXXX"
    unpackWARs="true"
    autoDeploy="true">
    <Valve className="org.apache.catalina.valves.AccessLogValve"
    directory="logs"
    prefix="XXXXXXXXXXXXXXXXXXXXXXXXX"
    suffix=".txt"
    pattern="common" />
    <Context path="/XXXXXXXXXXXXXXXXXXXXXXXXX"
    docBase="XXXXXXXXXXXXXXXXXXXXXXXXX" />
    </Host>
    </Engine>
    </Service>
    </Server>
     
    platetripn, Dec 21, 2018 IP
  2. RoseHosting

    RoseHosting Well-Known Member

    Messages:
    230
    Likes Received:
    11
    Best Answers:
    11
    Trophy Points:
    138
  3. platetripn

    platetripn Member

    Messages:
    27
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    33
    #3
    I have looked at this link before. I am running Tomcat 8.5.15 and Java 8. If I input that list of ciphers does it mean that those are the stronger ciphers or a list of the weak ciphers that the site shouldn't use?

    There needs to be a much easier way to harden a site in Tomcat
     
    platetripn, Dec 27, 2018 IP