Workaround for Tomcat SSL and TLS Logjam Vulnerability
Posted by Aly Essa, Last modified by Aly Essa on 30 November 2018 11:32 AM

Overview

In this article, we will address the Logjam Vulnerability and simultaneously harden the Tomcat Web Server to prevent a POODLE attack. The deployment of these patches should be done together.

A full technical brief is available at https://weakdh.org/. This site also contains details on the Logjam Vulnerability and what weaknesses are exploited.

 

You can access the Knowledgebase Article for the POODLE Fix here: http://support.filecatalyst.com/index.php?/Knowledgebase/Article/View/306/55/how-to-deploy-the-sslv3-poodle-fix-for-tomcat

We recommend that you go through this article first. 

 

Environment

FileCatalyst Workflow v4.9.4 and later.

FileCatalyst Webmail v4.9.4 and later.

Tomcat v7.0 and later.

 

Resolution

  1. Shutdown your Apache Tomcat service.
  2. Locate your Tomcat installation directory. For the purposes of this document, we will be using Windows Environment Paths. Typically it is installed in C:\Program Files\Apache Software Foundation\Tomcat 7.0\, this could be different for you.
  3. Navigate to the conf directory.
  4. Open the server.xml file in a text editor.
  5. Locate the connector named:

    <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->

  6. Add the following property at the end of the connectors before “/>” to <!--FCWeb HTTPS Connector1--> and <!--FCWeb HTTPS Connector1 -->:

    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"

  7. Your editted connectors should look like:

    <!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <!--FCWeb HTTPS Connector2-->
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="8443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="C:\Program Files\FileCatalyst Web Workflow/apache-tomcat/tomcat-ssl/.keystore"
    keystorePass="changeit"
    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"/>

    <!-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <!--FCWeb HTTPS Connector1-->
    <Connector protocol="org.apache.coyote.http11.Http11Protocol"
    port="8443" minSpareThreads="5" maxSpareThreads="75"
    enableLookups="true" disableUploadTimeout="true"
    acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="C:\Program Files\FileCatalyst Web Workflow/apache-tomcat/tomcat-ssl/.keystore"
    keystorePass="changeit"
    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />

  8. Save the file and restart your Apache Tomcat Server.