Changing Tomcat's SSL ciphers

Eric Mon, 02 Mar 2015 14:47:05 -0800

I am trying to change the ciphers that my Tomcat 7 server supports. I am
using the APR connector. Here's the connector information in server.xml
with the line saying which ciphers to support:


    <Connector port="8443" executor="edgeExecutor" maxHttpHeaderSize="32768"
               enableLookups="false" disableUploadTimeout="true"
               connectionTimeout="3000"
               socketBuffer="122880"
               maxKeepAliveRequests="1"
               scheme="https" secure="true"
               SSLProtocol="TLSv1"
               SSLEnabled="true"
               SSLCertificateFile="/etc/tomcat/star_mydomain_com.crt"
               SSLCertificateKeyFile="/etc/tomcat/star_mydomain_com.key"
               SSLCACertificateFile="/etc/tomcat/DigiCertCA.crt" />
               SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256"

I shut down and started Tomcat back up.

When I scan this server using NMAP and a script that enumerates all of the
SSL ciphers, I get this result:

$ nmap --script ssl-enum-ciphers -p 443 qa-data.mydomain.com

Starting Nmap 6.40 ( http://nmap.org ) at 2015-03-02 14:30 PST
Nmap scan report for qa-data.mydomain.com (X.XX.XX.XX)
Host is up (0.019s latency).
rDNS record for X.XX.XX.XX: d.mydomain.com
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_DES_CBC_SHA - weak
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
|       TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA - broken
|       TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 - broken
|       TLS_DH_anon_WITH_3DES_EDE_CBC_SHA - broken
|       TLS_DH_anon_WITH_AES_128_CBC_SHA - broken
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - broken
|       TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - broken
|       TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - broken
|       TLS_DH_anon_WITH_DES_CBC_SHA - broken
|       TLS_DH_anon_WITH_RC4_128_MD5 - broken
|       TLS_DH_anon_WITH_SEED_CBC_SHA - broken
|       TLS_RSA_EXPORT_WITH_DES40_CBC_SHA - weak
|       TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 - weak
|       TLS_RSA_EXPORT_WITH_RC4_40_MD5 - weak
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_RSA_WITH_DES_CBC_SHA - weak
|       TLS_RSA_WITH_IDEA_CBC_SHA - weak
|       TLS_RSA_WITH_RC4_128_MD5 - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|       TLS_RSA_WITH_SEED_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: broken

Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds

Why it is still supporting all of those other ciphers? I only told it to
support one. Am I doing something wrong?

OS/version information:

    CentOS release 6.5 (Final)
    apr-1.3.9-5.el6_2.x86_64
    apr-devel-1.3.9-5.el6_2.x86_64
    apache-tomcat-7.0.32-ak.9.x86_64 (apparently our own custom RPM of
Tomcat, could it be that an option was turned off that prevents changing
the SSL cipher? How would I check?)

Thank you.

Changing Tomcat's SSL ciphers

Reply via email to