You'll want to set the protocols, ciphers, and honorCipherOrder attributes on either the Connector or the SSLHostConfig objects in your server.xml file to restrict the available TLS/SSL protocols and ciphers available to avoid using weak ones.
See the documentation here for details: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support For example (please pick TLS levels and ciphers for your application -- this may not suit your requirements): <Connector protocol="HTTP/1.1" port="80" redirectPort="443" /> <Connector port="443" defaultSSLHostConfigName="my-domain.com" scheme="https" secure="true" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11AprProtocol"> <SSLHostConfig protocols="+TLSv1.3+TLSv1.2" honorCipherOrder="true" ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA" hostName="my-domain.com"> <Certificate certificateKeyFile="conf/my_domain_com-ECC.private.key" certificateFile="conf/my_domain_com-ECC.pem" certificateChainFile="conf/my_domain_com-ECC.intermediate.pem" type="EC" /> </SSLHostConfig> <SSLHostConfig protocols="+TLSv1.3+TLSv1.2" honorCipherOrder="true" ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA" hostName="my-domain.com"> <Certificate certificateKeyFile="conf/my_domain_com.private.key" certificateFile="conf/my_domain_com.crt" certificateChainFile="conf/my_domain_com.intermediate.crt" type="RSA" /> </SSLHostConfig> </Connector> On Wed, Jan 6, 2021 at 6:34 PM James H. H. Lampert <jam...@touchtonecorp.com> wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it. > > Of course, a customer that's big enough to run a private CA in > production is already doing things beyond my pay grade. > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
