Help

Weak SSL ciphers

jarednichols
Honored Contributor

Posted on ‎04-17-2009 12:19 AM

Hi-

I'm getting ready to take my JSS production and there's 1 remaining issue our ITSEC team would like cleared up, if possible, and that's the use of SSL weak ciphers. Anyone skilled at disabling these? SSL's where I'm a bit weak.

Thanks
j
---
Jared F. Nichols
Desktop Engineer, Infrastructure and Operations
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

0 Kudos
1 REPLY 1

jarednichols
Honored Contributor

Posted on ‎04-17-2009 12:43 AM

Actually, I figured it out... My problem was I was trying to do it in Apache, not Tomcat...duh.
Add the following into your connector definition for the SSL connection (in /Library/Tomcat/conf/server.xml):

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Basically, you're restricting the SSL connections to use higher strength ciphers. Restarted Tomcat, works great.

j