Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Configuring Supported Ciphers for Tomcat HTTPS Connections

Overview

Due to a security vulnerability (Logjam), cipher suites that use weak Diffie-Hellman key exchange algorithms are disabled in the Tomcat server.xml file installed with the Casper Suite v9.73 and later. The list of ciphers is not automatically modified when upgrading the Casper Suite from v9.72 or earlier. It is recommended that you manually replace the list of ciphers to remediate this known vulnerability.

This article provides step-by-step instructions for replacing the existing ciphers in the server.xml file with a list of recommended ciphers.

In addition, users who want to modify the list of ciphers in the server.xml file for a different reason, such as customizing their environment, can also follow these instructions to specify a list of ciphers for HTTPS connections.

Products Affected

Casper Suite v9.72 or earlier

Procedure

  1. Upgrade to the JSS v9.73 or later.
  2. Open the server.xml file in a text editor. The server.xml file is located in: - Mac: /Library/JSS/Tomcat/conf/server.xml - Linux: /usr/local/jss/tomcat/conf/server.xml - Windows: C:\Program Files\JSS\Tomcat\conf\server.xml Note: It is recommended that you create a backup of the server.xml file before replacing the existing ciphers.
  3. Search for the ciphers attribute in the Connector element for port="8443".
  4. Replace the existing ciphers with the ciphers listed below. If the ciphers attribute is not present, add it to the Connector element. ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"

In addition, if you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher:
TLS_RSA_WITH_AES_128_CBC_SHA

Note: These recommendations come from The Open Web Application Security Project (OWASP). For additional recommendations on securing Tomcat, see the following documentation from OWASP:
https://www.owasp.org/index.php/Securing_tomcat#Encryption

5. Save and close the server.xml file.
6. Restart Tomcat.
For instructions, see Starting and Stopping Tomcat.

Additional Information

For more information about Apache Tomcat HTTP Connectors, go to:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Like Comment
Order by:
SOLVED Posted: 4/22/15 at 8:29 AM by Marker.43

Can you provide a source for strong ciphers, or maybe just the ones that get specified when doing a fresh install of Casper?

Like
SOLVED Posted: 7/16/15 at 10:39 AM by jkb
The server.xml file is located in: - Mac: /Library/JSS/Tomcat/conf/server.xml - Linux: C:\Program Files\JSS\Tomcat\conf\server.xml - Windows: /usr/local/jss/tomcat/conf/server.xml

n.b. The Windows and Linux file paths are mixed up.

jkb

Like
SOLVED Posted: 7/16/15 at 11:51 AM by kristen.bates

Thank you. The file paths should be correct now.

Like
SOLVED Posted: 7/22/15 at 12:15 PM by ekkehard

If you don't like to do this manually vote here:
Update port 8443 ciphers during upgrades

Like
SOLVED Posted: 8/4/15 at 10:29 AM by higginsta

So I ran into this error this morning on Firefox 39 and Chrome 45 (beta). I updated the ciphers to the recommended list and upon restart I could not connect with any browser due to the following error:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

Tomcat restarted cleanly and I double checked the syntax. Is there an updated KB that deals with this issue?

Thanks,

Todd

Like
SOLVED Posted: 8/4/15 at 3:26 PM by jhalvorson

After making the change to the cipher attribute on a test JSS, devices with 10.5 were no longer able to securely connect to the JSS and I could not use any of the functions in Casper Remote to a client with 10.5.

Have others seen this issue? Is it to be expected due to the age and limitations of 10.5 and older?

Like
SOLVED Posted: 9/3/15 at 9:32 AM by cvgs

After trying to enroll a 9.73 JDS running un Ubuntu 14.04 LTS into a 9.73 JSS running Java 8 on Windows, i have found that i had to add TLS_RSA_WITH_AES_128_CBC_SHA to the cipher list (which as stated above should only be needed when Java 1.6 would be used anywhere).

Otherwise you get the error message

error: (35) - gnutls_handshake() failed: A TLS fatal alert has been received.

and the jamf.log shows:

 ERROR (35, 'gnutls_handshake() failed: A TLS fatal alert has been received.')
Traceback (most recent call last):
  File "/root/bamboo-agent-home/xml-data/build-dir/REL-ACS-RELCASJDSUBUNTU/build/pyi.linux2/jamfds/out00-PYZ.pyz/jss_comm", line 84, in _perform
error: (35, 'gnutls_handshake() failed: A TLS fatal alert has been received.')

YMMV...

Like
SOLVED Posted: 9/8/15 at 12:38 PM by kevindw

I'll second that I needed to add "TLS_RSA_WITH_AES_128_CBC_SHA" to the cipher list to get things rocking again.

Chrome error was SSL version or cipher mismatch

Running RHEL 6.6, JSS 9.73, Java 1.7.0_79.

Cheers!

Like
SOLVED Posted: 9/18/15 at 12:16 PM by msd_netadmin

Add me to the list that needed the "TLS_RSA_WITH_AES_128_CBC_SHA" included. We have Java 1.8 although 1.6 is still on the server.

Dan

Like
SOLVED Posted: 9/24/15 at 12:22 PM by kwsenger

Our environment runs JDS' as well. I missed adding this line as well {"TLS_RSA_WITH_AES_128_CBC_SHA"}. We are on Java 1.7 but DO have JDS'.

We were able to use Chrome 45 for accessing the JSS Web App but when we tried to update our main JDS with JDS Installer 9.8 we would get this error. {Could not retrieve certificate from "https://jss.mycompany.com:8443/". Check that the JSS URL is correct}. We also could not upload packages correctly to Capser Admin.

Adding "TLS_RSA_WITH_AES_128_CBC_SHA" to the cipher list and bouncing Tomcat fixed everything.
Karl.

Like
SOLVED Posted: 9/25/15 at 10:28 AM by RobertHammen

@Kristen I have had numerous clients read this article to try to fix the issue of not being able to connect to their JSS via latest versions of Firefox, Chrome, and, in OS X El Capitan, Safari.

Unfortunately, they ALL have glossed over the requirement that they MUST be running 9.73 or later of the Casper Suite before adding these ciphers.

Can you please have this revised, at your earliest convenience, to highlight the fact that clients must FIRST upgrade to 9.73 (to get a new version of Tomcat that supports the ciphers), THEN edit the server.xml file? And if that they don't perform the upgrade first, they will break their JSS?

I literally have had close to 10 clients try to edit this without being on 9.73 and do exactly that and I've had to walk them through removing the ciphers they added, in order to get them back up-and-running.

Like
SOLVED Posted: 10/5/15 at 1:25 PM by Josh.Smith
to highlight the fact that clients must FIRST upgrade to 9.73 (to get a new version of Tomcat that supports the ciphers), THEN edit the server.xml file? And if that they don't perform the upgrade first, they will break their JSS?

Important safety tip, thanks Egon.

Like
SOLVED Posted: 10/19/15 at 12:03 PM by dickie

Had been working in Google Chrome now I get "Server has a weak ephemeral Diffie-Hellman public key". I did the procedure above including adding the extra key. Still same. I can use the JSS in Safari, but still can't use chrome.

Like
SOLVED Posted: 10/22/15 at 12:32 PM by wallstrum

came across this post while looking for something else, but i figured i'd post because i fixed this about a month or so ago. here is what my "connector" section looks like in my server.xml file:

<Connector URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" maxPostSize="8388608" keystoreFile="/Library/JSS/Tomcat/certs/keystore.pkcs12" keystorePass="XXXXXXXXXX" keystoreType="PKCS12" />

i pasted the whole thing here for context, but the part to pay attention to is the "ciphers" section. i did a bunch of research on securing tomcat, and basically this list is ordered by most secure --> least secure (it's' called perfect forward secrecy), so that browsers will connect in the most secure method they can. the website i used for reference is: https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/.

hope it helps!

wally

Like
SOLVED Posted: 10/25/15 at 12:22 PM by donmontalvo

@wallstrum we went with JAMF's published string, and added Java 6 string, since we have it in our environment, and so far so good. Curious whether it matters that your string is missing stuff JAMF published in theirs? Theirs is on the left, yours is on the right:

Like
SOLVED Posted: 11/24/15 at 11:02 AM by Olivier

May I suggest to Jamf to also upgrade SelfService app to support TLS1.2...to support GCM-based suites, that are recommended in this article?

There is no security impact, as communication is later passed to "jamf" local binary that seems to use TLS1.2 when an item is downloaded/installed, but it is just for "harmonizing stuff" :-))).

Like
SOLVED Posted: 2/4/16 at 12:02 PM by EdTechChris

I've been having some ugly issues with Self Service not connecting. This seemed to fix it.

Like
SOLVED Posted: 2/17/16 at 2:43 AM by bentoms

Please update this article advising that the cipher TLS_RSA_WITH_AES_128_CBC_SHA is needed for 10.8 clients, as per this.

Like
SOLVED Posted: 10/28/16 at 4:02 PM by andykang

On RHEL7.1 with OpenJDK 1.8.0 and JSS v9.96. I had to add "TLS_RSA_WITH_AES_128_CBC_SHA" to get Tomcat working as well. iOS Self Service is not working however...I'm thinking it has to do with OpenJDK only working with the "TLS_RSA_WITH_AES_128_CBC_SHA" cipher.

Like
SOLVED Posted: Yesterday at 3:04 PM by martin

Please update ciphers, article was last modified in 2015.

Like