Chrome indicates that Tomcat SSL URL allows an RSA (an obsolete key exchange)

Document ID : KB000125294
Last Modified Date : 29/01/2019
Show Technical Document Details
Question:
Is there a way to enforce Strong Protocol + Strong Key Exchange + Strong Ciphers ?
Answer:
1) Ensure CA SDM is configured to use latest version of 32bit Java 8 first.  This invalidated Obsolete Key Exchanges and enforces the usage of Strong Key Exchanges
Note: 17.1 out of the box has JRE 1.8.0_112  and somehow this build does not enforce strong key exchange.   That's why upgrading to latest Java 8 build would help here

2) Ensure the sslProtocol="TLSv1.2" is used for the Protocol so only TLS v1.2 is enforced

3) Disable any weak ciphers by using:  ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH" 

A sample connector would be like this:

<Connector SSLEnabled="true" ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH" 
clientAuth="false" enableLookups="false" keystoreFile="C:\certs\Keystore.PFX" 
keystoreType="pkcs12" keystorePass="changeit" maxThreads="200" port="8443" 
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" 
secure="true" sslProtocol="TLSv1.2" />



NOTE:  It is possible to use explicit ciphers too instead of ciphers="HIGH:!aNULL:!RC4:!MD5:@STRENGTH"   

An example for such (to have more granular control) would be:
useServerCipherSuitesOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" 

 
Additional Information:
Refer to Apache Tomcat documentation for more details: https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html