Search code examples
tomcatembedded-tomcat-7embedded-tomcat-8deepsecurity

Disable Weak Ciphers Tomcat Embedded


I'm using Trend Micro Deep Security as part of a PCI DSS environment. The problem is that the SSL certificate uses a weak cipher:

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

The application uses a version of tomcat embedded and I'm looking for a way to disable the weak ciphers. I believe https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html is what I need to do, however I can't find any details on how to do this with the embedded verison?


Solution

  • Basics of customizing embedded Tomcat are shown in eg. Running A Spring Boot App (Embedded Tomcat) with SSL and Unencrypted Simultaneously

    To configure permitted ciphers, add something like this:

    SSLHostConfig[] sslHostConfigs = connector.findSslHostConfigs();
    sslHostConfigs[0].setProtocols("TLSv1.2, TLSv1.1, TLSv1");
    sslHostConfigs[0].setCiphers("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256");
    

    Or for Tomcat versions older than 8.5:

    NioEndpoint endpoint = protocol.getEndpoint();
    endpoint.setSslEnabledProtocols(...);
    endpoint.setCiphers(...);