Posted on 04-17-2009 12:19 AM
Hi-
I'm getting ready to take my JSS production and there's 1 remaining issue our ITSEC team would like cleared up, if possible, and that's the use of SSL weak ciphers. Anyone skilled at disabling these? SSL's where I'm a bit weak.
Thanks
j
---
Jared F. Nichols
Desktop Engineer, Infrastructure and Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Posted on 04-17-2009 12:43 AM
Actually, I figured it out... My problem was I was trying to do it in Apache, not Tomcat...duh.
Add the following into your connector definition for the SSL connection (in /Library/Tomcat/conf/server.xml):
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Basically, you're restricting the SSL connections to use higher strength ciphers. Restarted Tomcat, works great.
j