How to disable weak SSL or TLS protocol and weak ciphers in UMP

Document ID : KB000046324
Last Modified Date : 09/04/2019
Show Technical Document Details
Introduction:

How to disable the weak SSL/TLS protocol and weak ciphers in UMP? 

Environment:
UIM 8.4/UIM 8.4 SP2/UIM 8.51
UIM 9.02 -  Please note with this version, you may need to remove the 'https_ciphers' key in the <setup> section to complete this process.
Instructions:
This can be done by setting the  protocols and ciphers in the <https_connector> tag of wasp.cfg. This mechanism can still be used with the newer version of the embedded Tomcat. 

1)Example  to successfully change wasp’s SSL behavior:

<https_connector>
URIEncoding = UTF-8
sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2
ciphers = TLS_RSA_WITH_AES_128_CBC_SHA
</https_connector>


 

2) Example to disable weak TLS protocols :

<https_connector>
        URIEncoding = UTF-8
        sslEnabledProtocols = TLSv1.2
         ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
</https_connector>
 
Note :Any ciphers specified in the <https_connector> tag will override values set with the https_ciphers key. This https_ciphers key is seen in UIM 8.4 SP1 and later  in wasp.cfg so to eliminate any possible confusion please specify them in one location or the other.
Watch out for protocol/cipher mismatches which the browser will warn about
 
Additional Information:
Descriptions of these attributes can be found in the Tomcat 7.0 documentation:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

(Optional, 8.51 or Later) Change the HTTPS Ciphers