Tomcat SSL Tips
October 21, 2014 - Web Servers
With POODLE being in the news recently, I decided it would be a good idea to look at my overall SSL configuration while closing the door to this issue. What better way to do that than by arbitrarily assigning a letter grade to my servers with the Qualys SSL Labs tool. From here I came up with a list of Tomcat SSL tips to help you improve your letter grade too.
Looking at an Apache Tomcat 8 server I started with a C letter grade. Vulnerable to POODLE and Forward Secrecy not supported.
So I disabled SSLv3 /* goodbye Internet Explorer 6 users */ to close the POODLE vulnerability. And then I provided a list of Cyphers to Tomcat rather than relying on it’s defaults. Below is my conf/server.xml configuration for SSL.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA" />
After applying these Tomcat SSL tips I was able to raise the score to an A-. Changing it from a sad red to a happy green. I was also able to improve the cypher strength score, however, I was not able to get Forward Secrecy available in the reference browsers which reduced the score to an A-. I tried messing with the cyphers a little more but I could only get Forward Secrecy at the cost of compatibility with several modern browsers. CLOSE ENOUGH.