How to control the SSL ciphers available to Tomcat
14,835
I figured it out..the comma separated list of ciphers is whitespace sensitive i.e. the culprit is the space character after the comma
Related videos on Youtube
Author by
Mike
Updated on June 05, 2022Comments
-
Mike almost 2 years
I'm unable to disable weak SSL ciphers in Tomcat as documented in many places e.g. http://www.techstacks.com/howto/secure-ssl-in-tomcat.html.
Currently, my connector looks as follows:..Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Programs\apache-tomcat-6.0.33\keystore" keystorePass="nn"/>
when I attempt a connection (using IE or ssldigger) I get the following error in Tomcat:
java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_RC4_128_SHA at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(Unknown Source) at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source) at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1141) at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1096) at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1315) at java.lang.Thread.run(Unknown Source)
Incidentally, I removed the unsupported ciphers (almost one by one) and the only one I was left with that seems to be supported is SSL_RSA_WITH_RC4_128_MD5
Also, I'm assuming that an unsupported cipher is not related to Tomcats's specific key pair but more generally to the broadly available ciphers.
What is wrong here?
-
Tharun over 5 yearsIf the cipher suite is specified in openssl notation then colon(:) is to be used as separator. APR connector uses OpenSSL. otherwise its comma(,)