Tomcat SSL Tips

With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool. From here I came up with a list of Tomcat SSL tips to help you improve your letter grade too.

Looking at an Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported.

SSL Labs Starting Score

So I disabled SSLv3 /* goodbye Internet Explorer 6 users */ to close the POODLE vulnerability. And then I provided a list of Cyphers to Tomcat rather than relying on it’s defaults. Below is my conf/server.xml configuration for SSL.

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"

After applying these Tomcat SSL tips I was able to raise the score to an A-. Changing it from a sad red to a happy green. I was also able to improve the cypher strength score, however, I was not able to get Forward Secrecy available in the reference browsers which reduced the score to an A-. I tried messing with the cyphers a little more but I could only get Forward Secrecy at the cost of compatibility with several modern browsers. CLOSE ENOUGH.

SSL Labs After

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: