Menu
I'm unable to disable weak SSL ciphers in Tomcat as documented in many places e.g. http://www.techstacks.com/howto/secure-ssl-in-tomcat.html.
Currently, my connector looks as follows:
..Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Programs\apache-tomcat-6.0.33\keystore" keystorePass="nn"/>
when I attempt a connection (using IE or ssldigger) I get the following error in Tomcat:
java.lang.IllegalArgumentException: Unsupported ciphersuite SSL_RSA_WITH_RC4_128_SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(Unknown Source)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(Unknown Source)
at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1141)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1096)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1315)
at java.lang.Thread.run(Unknown Source)
Incidentally, I removed the unsupported ciphers (almost one by one) and the only one I was left with that seems to be supported is SSL_RSA_WITH_RC4_128_MD5
Also, I'm assuming that an unsupported cipher is not related to Tomcats's specific key pair but more generally to the broadly available ciphers.
What is wrong here?
629
Right-click SSL Cipher Suites box and select Select all from the pop-up menu. Right-click the selected text, and select copy from the pop-up menu. Paste the text into a text editor such as notepad.exe and update with the new cipher suite order list.
Disable RC4/DES/3DES cipher suites in Windows using registry, GPO, or local security settings. You can do this using GPO or Local security policy under Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order. Set this policy to enable.
I figured it out..the comma separated list of ciphers is whitespace sensitive i.e. the culprit is the space character after the comma
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
