How to disable the weak SSL/TLS protocol and weak ciphers in UMP?
UIM 8.4/UIM 8.4 SP2/UIM 8.51
UIM 9.02 - Please note with this version, you may need to remove the 'https_ciphers' key in the <setup> section to complete this process.
This can be done by setting the protocols and ciphers in the <https_connector> tag of wasp.cfg. This mechanism can still be used with the newer version of the embedded Tomcat.
1)Example to successfully change wasp’s SSL behavior:
<https_connector>
URIEncoding = UTF-8
sslEnabledProtocols = TLSv1,TLSv1.1,TLSv1.2
ciphers = TLS_RSA_WITH_AES_128_CBC_SHA
</https_connector>
2) Example to disable weak TLS protocols :
<https_connector>
URIEncoding = UTF-8
sslEnabledProtocols = TLSv1.2
ciphers = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF
</https_connector>
Note :Any ciphers specified in the <https_connector> tag will override values set with the https_ciphers key. This https_ciphers key is seen in UIM 8.4 SP1 and later in wasp.cfg so to eliminate any possible confusion please specify them in one location or the other.
Please watch out for protocol/cipher mismatches which the browser will warn about
Descriptions of these attributes can be found in the Tomcat 7.0 documentation:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
(Optional, 8.51 or Later) Change the HTTPS Ciphers