I'm using Trend Micro Deep Security as part of a PCI DSS environment. The problem is that the SSL certificate uses a weak cipher:
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1).
The application uses a version of tomcat embedded and I'm looking for a way to disable the weak ciphers. I believe https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html is what I need to do, however I can't find any details on how to do this with the embedded verison?
Basics of customizing embedded Tomcat are shown in eg. Running A Spring Boot App (Embedded Tomcat) with SSL and Unencrypted Simultaneously
To configure permitted ciphers, add something like this:
SSLHostConfig[] sslHostConfigs = connector.findSslHostConfigs();
sslHostConfigs[0].setProtocols("TLSv1.2, TLSv1.1, TLSv1");
sslHostConfigs[0].setCiphers("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256");
Or for Tomcat versions older than 8.5:
NioEndpoint endpoint = protocol.getEndpoint();
endpoint.setSslEnabledProtocols(...);
endpoint.setCiphers(...);