I ran a ssl scan utility on my Tomcat server and see it allows alot of
SSLv3 and RC4 Ciphers along with a number of others. I'm told the SSLv3 and
RC4 are not allowed and that I should only be using TLS ciphers.
Adding registry keys has no effect. Modifying the server.xml file does.
I figured out how to remove the SSLv3 entries. By adding the following to
the SSL area of my server.xml file, all the SSLv3 entries do not show on
the next scan.Part of the problem with this is alot of other information
about accepted SSL Certificates disappears as well.
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
For removing the RC4 entries, I reads posts mentioning adding in a
ciphers line so I added the following. It removed the RC4 entries but also
alot of other ciphers I didn't want removed.
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA"
What is the correct updated informaiton for the ciphers line and maybe
the sslEnabledProtocols as well? Thank you.
