1

I'm using Trend Micro Deep Security as part of a PCI DSS environment. The problem is that the SSL certificate uses a weak cipher:

The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).

The application uses a version of tomcat embedded and I'm looking for a way to disable the weak ciphers. I believe https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html is what I need to do, however I can't find any details on how to do this with the embedded verison?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
markpirvine
  • 1,485
  • 1
  • 23
  • 54

1 Answers1

0

Basics of customizing embedded Tomcat are shown in eg. Running A Spring Boot App (Embedded Tomcat) with SSL and Unencrypted Simultaneously

To configure permitted ciphers, add something like this:

SSLHostConfig[] sslHostConfigs = connector.findSslHostConfigs();
sslHostConfigs[0].setProtocols("TLSv1.2, TLSv1.1, TLSv1");
sslHostConfigs[0].setCiphers("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256");

Or for Tomcat versions older than 8.5:

NioEndpoint endpoint = protocol.getEndpoint();
endpoint.setSslEnabledProtocols(...);
endpoint.setCiphers(...);
Samuli Pahaoja
  • 2,660
  • 3
  • 24
  • 32