I’m managing a website, and during a vulnerability scan, it’s showing that TLS 1.0 and 1.1 are still supported. However, I’m trying to disable these protocols to improve security.
I don’t have much knowledge about security, but I’ve tried several things (with help from ChatGPT), and nothing seems to be working.
Additional Information:
- Server: Tomcat 8.5.100
- Java Version: java 8
please help me.
Steps I’ve Taken to Solve This:
- Modified the
server.xml
file as follows:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" server="Server" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/path" keystorePass="password"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8"
Ciphers="ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384,
ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256"
/>
- Setting
protocol="org.apache.coyote.http11.Http11Protocol"
doesn’t seem to work. - I tried removing the
ciphers
attribute, but it didn’t help. - I also tried using the
<SSLHostConfig>
tag, but Tomcat failed to restart. I Checked thecatalina.log
and saw this error:
Multiple SSLHostConfig elements were provided for the host name [_default_]. Hostnames must be unique.
- java.security file
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, TLSv1, TLSv1.1, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
- Tested with the
openssl
command, and the session protocol isTLSv1.2