问题
WSO2AM(1.10.0) is used in my organization as API gateway. Before releasing it to production, there are a few weakened protocols/ciphers found by a security company and they suggest disable these protocols as below,
- TLSv1.0
- 3DES based ciphers
- 1024 bit Diffie-Hellman groups
Could anyone please suggest me how to turn them off and any side-effects?
Thanks, Sean
回答1:
You can disable TLSv1.0 by removing it from repository/conf/tomcat/catalina-server.xml file.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Ciphers can be disabled editing same file ciphers section.
ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
More details can be found here. However, there are some known issues if you are running on jdk1.7. Refer here.
来源:https://stackoverflow.com/questions/43771627/disable-weakened-protocols-ciphers-in-wso2am-1-10-0