How to disable weak SSL or TLS protocol and weak ciphers in UMP

Document ID : KB000046324
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction/Summary: 

How to disable the weak SSL/TLS protocol and weak ciphers in UMP? 

 

Environment:  

UIM 8.4/UIM 8.4 SP2

 

Instructions: 

This can be done by setting the  protocols and ciphers in the <https_connector> tag of wasp.cfg. This mechanism can still be used with the newer version of the embedded Tomcat. 

1)Example  to successfully change wasp’s SSL behavior:

 <https_connector>

URIEncoding = UTF-8

sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2

ciphers = TLS_RSA_WITH_AES_128_CBC_SHA

</https_connector>

 

2) Example to disable weak TLS protocols :

<https_connector>

        URIEncoding = UTF-8

        sslEnabledProtocols = TLSv1.2

         ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF

</https_connector>

 

Note :Any ciphers specified in the <https_connector> tag will override values set with the https_ciphers key. This https_ciphers key is seen in UIM 8.4 SP1 and later  in wasp.cfg so to eliminate any possible confusion please specify them in one location or the other.

Watch out for protocol/cipher mismatches which the browser will warn about

 

Additional Information:

Descriptions of these attributes can be found in the Tomcat 7.0 documentation:

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

 

(Optional, 8.4 SP1 or Later) Change the HTTPS Ciphers

https://docops.ca.com/display/UIM84/Configure+HTTPS+in+UMP#ConfigureHTTPSinUMP-(Optional)ChangetheHTTPSCiphers