Tomcat SSL Tips

With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool.

Looking at anĀ Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported.

SSL Labs Starting Score

So I disabled SSLv3 /* goodbye Internet Explorer 6 users */ to close the POODLE vulnerability. And then I provided a list of Cyphers to Tomcat rather than relying on it’s defaults. Below is my conf/server.xml configuration for SSL.

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA"
 />

After making these configuration changes I was able to raise the score to an A-. Changing it from a sad red to a happy green. I was also able to improve the cypher strength score, however, I was not able to get Forward Secrecy available in the reference browsers which reduced the score to an A-. I tried messing with the cyphers a little more but I could only get Forward Secrecy at the cost of compatibility with several modern browsers. CLOSE ENOUGH.

SSL Labs After

Leave a Reply

Your email address will not be published. Required fields are marked *