禁用弱密码套件,如Tomcat6/7APP应用服务器RC4
密码套件基于Tomcat APP应用服务器和jdk进行使用。 更改confserver.xml文件配置中的sslEnabledpotocols、ciphers
sslEnabledpotocols的值一般为TLSv1、TLSv1.1、TLSv1.2
Java6 Tomcat6/7的ciphers TLS _ ECD he _ RSA _ with _ AES _ 128 _ CBC _ sha、TLS _ ECD he _ RSA _ with _ AES _ 2525284; 256 TLS _ ecdh _ RSA _ with _ AES _ 256 _ CBC _ sha、TLS _ ECD TLS _ ecdh _ RSA _ with _ AES _ 128 _ CBC _ sha、TLS _ TLD TLS _ ecdh _ RSS TLS _ ECD he _ RSA _ with _3des _ ede _ CBC _ sha、TLS _ ecdh _ ECD sa _ with _3des _ ede _ CBE TLS _ ECD sa _3des _ ede _ CBC _ sha TLS _ RSA _ with _ AES _ 128 _ CBC _ sha Java7Tomcat6/7中的ciphers TLS _ ECD he _ ECD sa _ with _ AES _ 256 _ CBC _ shers TLS _ ecdh _ ECD sa _ with _ AES _ 256 CBC _ sha 38837 TLS TLS _ ECD he _ RSA _ with _ AES _ 256 _ CBC _ sha,TLS _ ecdh _ ECD sa _ with _ AES _ 256 CBC _ sha,TLS _ TLS _ TLS TLS _ ECD he _ RSA _ with _ AES _ 128 _ CBC _ sha 256、TLS _ ECD he _ with _ AES _ 128 _ CBC _ sha 256、TLS _ ecdh TLS _ sha 256 TLS _ ecdh _ ECD sa _ with _ AES _ 128 _ CBC _ sha、TLS _ ecdh _ RSA _ with _ AES _ 128 CBC _ sha TLS _ ECD he _ RSA _ with _ AES _ 256 _ GCM _ sha 384、TLS _ RSA _ with _ AES _ 256 _ GCM _ sha 384、TLS _ ecdh _ sha 384 TLS _ ECD he _ RSA _ with _ AES _ 128 _ GCM _ sha 256、TLS _ 256 TLS _ ecdh _ RSA _ with _ AES _ 128 _ GCM _ sha 25292; TLS _ sha 256 TLS _ ecdh _ RSA _ with _3des _ ede _ CBC _ sha、TLS _ empty _ re negotiation _ info _ scsvfjava8tomcava 8
CDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVFTomcat 7+ jdk7 的密码套件配置示例:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="E:/tomcat/demo/apache-tomcat-7.0.109/conf/keystore/n.keystore" keystorePass="pwd" sslEnabledpotocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />参考资料来源于:https://support.comodo.com/index.php?/Knowledgebase/Article/View/659
但其实这个资料里面Java 7 的有一个坑(其他未验证),就是配置之后还依然能看到弱密码套件,如图:
可以看到包含了:TLS1_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA这个弱面套件,需要在ciphers里面把这个套件去掉,再重启Tomcat服务,验证发现已经没有弱密码套件了,如下图:
附:检测端口使用弱密码套件方法:
https://nmap.org/download.html
下载安装Nmap或者使用下方的解压版,成功后使用CMD到安装路径C:Program Files (x86)Nmap执行命令: