This script took me from an F to an A on the Qualys SSL Labs server test. It’s very simple. Basically we’re just disabling old and insecure protocols such as SSLv2, SSLv3, TLSv1, and TLSv1.1, as well as insecure ciphers such as RC4 and insecure key exchanges in favor of secure and efficient elliptical curve Diffie-Helman exchanges.
In my case it is for use with ManageEngine ADSelfService Plus and I can’t confirm which Tomcat/Java versions they are using, so you may need to to a tiny bit of tweaking:
- Different Tomcat versions use a slightly different syntax for the sslProtocol and sslProtocols attributes
- Different Java versions may support different cipher suites. This is not the latest Java so you could still further strengthen the ciphers in use if you’re able to update Java. If you’re on an older version of Java then you may not be able to use the ciphers I have listed.
- Obviously the path to the XML file will be different for you
- Obviously the name of the Tomcat service will be different for you
Here it is:
param( #Specify the path to the XML configuration file used by the Tomcat web server software. $ConfigurationFile = "C:ManageEngineADSelfService Plusconfserver.xml" ) #Take a backup of the file before making any changes Copy-Item $ConfigurationFile "$ConfigurationFile.old" -ErrorAction Stop #Read the XML file and convert it into an object that is easy to work with. [xml]$Configuration = Get-Content -Path $ConfigurationFile #Search for any Tomcat Connectors that are using HTTPS $HTTPSConnectors = $Configuration.Server.Service.Connector | Where-Object {$_.SSLEnabled -eq "true"} #Update the settings on these connetors to use only TLS 1.2 and strong ciphers (disable SSL and disable old versions of TLS) $HTTPSConnectors.SetAttribute("sslProtocol","TLS") $HTTPSConnectors.SetAttribute("sslProtocols","TLSv1.2") $HTTPSConnectors.SetAttribute("ciphers","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA") #Save the updated file $Configuration.Save($ConfigurationFile) #Restart the service for the changes to take effect net stop "ADSelfServicePlus" net start "ADSelfServicePlus" PS – Hilariously it is much more difficult to do the same thing with IIS, because the SCHANNEL settings affect so much more than just IIS. Lock it down to only TLS 1.2 without proper preparation and you will be hating life.
submitted by /u/OathOfFeanor
[link] [comments]
The post Using PS to Harden Tomcat Web Servers appeared first on How to Code .NET.