collaboration@CANARIE

Log in

IDP Installer

The IDP Installer tool home
Sub-Group of CAF Tools

  • Blogs
  • IDP Installer
  • Configuring Acceptable Strength Webserver Cipher Suites To Avoid Logjam Problems

Configuring Acceptable Strength Webserver Cipher Suites To Avoid Logjam Problems

Mozilla's Firefox recent update for version 39.0 halts end users from connecting to websites at risk for the  Logjam vulnerability.  As browser makers take steps to protect users, sites need to examine security configurations closer than ever when it comes to TLS.

What follows is how to adjust the cipher suites for Tomcat 6 in it's server.xml configuration file which v2.1.1 and earlier versions of the CAF IdP Installers use.  Later builds of the installer are based on Jetty 9.2's default installation.  

Picking your Suites

Tomcat6's documentation show that tomcat allows ciphers to be specified in the connectors configuration.  By adding a directive into the Connector configuration in Tomcat for TLS connections we force the appropriate cipher suites and Firefox will connect as it had before, but with stronger ciphers for the encrypted TLS connection

The following cipher suites can be cut and pasted into the /etc/tomcat6/server.xml configuration in the Connector section:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

Cipher list origin(pre-editted one above): https://weakdh.org/sysadmin.html

Note that it needs to have no spaces between the commas for it to be properly used in the Connector XML block.

Once in place in the in the Connector sectino for port 7443(Tomcat uses 7443 via firewall redirection from port 443), restart the tomcat server for it to take effect (service tomcat6 restart).  Test the new configuration with Firefox version 39 and you should see your connection complete as it should but without the Logjam risk.

Sample connector config with the ciphers in place (careful, cut and paste from above, not here due to XML in an HTML editor): 

protocol="HTTP/1.1"

SSLEnabled="true"

maxThreads="150"

scheme="https"

secure="true"

clientAuth="false"

sslProtocol="TLS"

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

keystoreType="PKCS12"

keystoreFile="/opt/shibboleth-idp/credentials/https.p12"

keystorePass="suppressed"

truststoreFile="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/security/cacerts"

truststorePass="suppressed"

truststoreType="JKS"

/>

Observations

  • Cipher ordering
    • is not mentioned so is considered 'absent' from Tomcat6 unless a public documented link is reported in which case we'll update this section.
  • Modern, Intermediate, and Old cipher compatibility
    • Default from Mozilla is to work with 'Intermediate'.  While you may want to be 'modern' it's likely your install base will want to drag you downward to 'old'.  Keep in mind that Tomcat6 does no ordering so presence or absence in the list is your only mechanism to deal with this.  The list provided above is provided on an 'as-is' basis and if you feel a cipher should be included or removed, please contact me 

 Related Links

Comments

  • Chris Phillips 1050 days ago

    A tomcat user provided some feedback that they used this in their connector setting successfully as well (minus RC4 ciphers):

     

    Connector port="7443"
                    protocol="HTTP/1.1"
                    SSLEnabled="true"
                    maxThreads="150"
                    scheme="https"
                    secure="true"
                    clientAuth="false"
                    protocols="TLSv1, TLSv1.1, TLSv1.2"
                    keyAlias="tomcat"
                    keystoreFile="/opt/shibboleth-idp/credentials/idp-https.tks"
                    keystorePass="*Your Keystore Password*"
                    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"