Disabling Weak SSL/TLS Ciphers in CTS

weak_security

When deploying the CoreBlox Token Service (CTS) in "Standalone" mode it may be necessary to disable weak SSL/TLS ciphers that are no longer considered safe. CTS utilizes embedded Jetty in standalone mode, which inherits the SSL cipher suites from the Oracle JVM (SunJSSEPRovider) that is installed on the system (You can find a complete list of ciphers available in the Java 8 documentation https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider)

While Oracle has deprecated a number of different ciphers, it may be required to add to that list in your CTS deployment. This can be done fairly easily by modifying the ../config/jetty.xml file.

Our default file configuration looks like the following -

<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"><Configure id="Server" class="org.mortbay.jetty.Server"> <Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.nio.SelectChannelConnector"> <Set name="host"><SystemProperty name="jetty.host" /></Set> <Set name="port"><SystemProperty name="jetty.port" default="8585" /></Set> <Set name="maxIdleTime">30000</Set> </New> </Arg> </Call> <Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="Port">8586</Set> <Set name="maxIdleTime">30000</Set> <Set name="keystore"><SystemProperty name="jetty.home" default="./" />config/cts_server.keystore</Set> <Set name="password">SECRETPASSWORD</Set> <Set name="keyPassword">SECRETPASSWORD</Set> <Set name="needClientAuth">true</Set> <Set name="wantClientAuth">false</Set> </New> </Arg> </Call> <!-- required configuration --> <!-- connectors --> <!-- handlers --> <!-- webapps/contexts --> <!-- optional configuration --> <!-- threadpool --> <!-- session id manager --> <!-- authentication realms --> <!-- request logs --> <!-- extra server options --> </Configure>

Since we are utilizing Jetty 6.1, we can add a new setting called "ExcludeCipherSuites" which will then let us explicitly deny a list of ciphers we do not want to support. For example, here's a jetty.xml file that excludes a number of known, weak ciphers:

<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd"><Configure id="Server" class="org.mortbay.jetty.Server"> <Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.nio.SelectChannelConnector"> <Set name="host"><SystemProperty name="jetty.host" /></Set> <Set name="port"><SystemProperty name="jetty.port" default="8585" /></Set> <Set name="maxIdleTime">30000</Set> </New> </Arg> </Call> <Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="Port">8586</Set> <Set name="maxIdleTime">30000</Set> <Set name="keystore"><SystemProperty name="jetty.home" default="./" />config/cts_server.keystore</Set> <Set name="password">SECRETPASSWORD</Set> <Set name="keyPassword">SECRETPASSWORD</Set> <Set name="needClientAuth">true</Set> <Set name="wantClientAuth">false</Set> <Set name="ExcludeCipherSuites"> <Array type="String"> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>SSL_RSA_WITH_NULL_MD5</Item> <Item>SSL_RSA_WITH_NULL_SHA</Item> <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item> <Item>TLS_DH_anon_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DH_anon_WITH_AES_256_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item> <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item> <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item> <Item>TLS_KRB5_WITH_RC4_128_SHA</Item> <Item>TLS_KRB5_WITH_RC4_128_MD5</Item> <Item>TLS_KRB5_WITH_3DES_EDE_CBC_SHA</Item> <Item>TLS_KRB5_WITH_3DES_EDE_CBC_MD5</Item> <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item> <Item>TLS_KRB5_WITH_DES_CBC_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item> <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5</Item> <Item>SSL_RSA_WITH_RC4_128_MD5</Item> <Item>SSL_RSA_WITH_RC4_128_SHA</Item> </Array> </Set> </New> </Arg> </Call> <!-- required configuration --> <!-- connectors --> <!-- handlers --> <!-- webapps/contexts --> <!-- optional configuration --> <!-- threadpool --> <!-- session id manager --> <!-- authentication realms --> <!-- request logs --> <!-- extra server options --> </Configure>

You can modify this list as you wish to remove ciphers as necessary. However, we feel this is a good starting point for most deployments.

Ian Barnett

Ping Identity Practice Director