Since we are using spring boot with an embedded tomcat server, so there is no Apache.
How to enable strong Ciphersonly and disallow all the weak Ciphers.
For Apache, modify the SSLCipherSuite directive in the httpd.conf.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
But how to do this in spring boot?
In Spring you usually use the property server.ssl.ciphers for this, e.g.
server.ssl.ciphers=HIGH,MEDIUM,!MD5,!RC4
For embedded Tomcat you might need to do some customization as shown in How to set HTTPS SSL Cipher Suite Preference in Spring boot embedded tomcat
Related
Recently there has been an exploit on Apache Jserv Protocol (AJP) for webapps running in Tomcat.
The quickest way to mitigate that risk is to disable that protocol if not in use. I would like to know how to disable Apache Jserv Protocol (AJP) on Springboot web application through application.properties or any other configurable method. I've looked for it on Springboot documention and other sources but could not find how to do it.
Thanks!
I'm searching about how to harden embedded tomcat according to CIS security Benchmark, how I can configure CATALINAHOME, BASE, and how can I configure the security manager with polices.
I did not find a flexible way to configure the embedded tomcat as stand-alone tomcat.
Any help regarding the customized of the embedded tomcat rather than the limited configuration in the applicaiton.properties .
I have a spring boot application running on SSL programmatically using TomcatServletWebServerFactory where we set the following from configuration file:
proto.setSSLCertificateKeyFile(classLoader.getResource(certificateKeyFile).getPath());
proto.setSSLCertificateFile(classLoader.getResource(certificateFile).getPath());
proto.setSSLCertificateChainFile(classLoader.getResource(certificateChainFile).getPath());
However, i would like to enable on SSL on the actuator endpoint too. I found online that we do this using the following in application.properties:
management.server.ssl.enabled=true
management.server.ssl.key-store=
management.server.ssl.key-password=
This is not working in my case as i need to reuse the above certificate. If i add an additional connector to TomcatServletWebServerFactory programmatically, it throws an error as already bind port as if actuator have different tomcat connector. How can i programmatically enable SSL on actuator while providing the certificate files as above?
I ended up removing my programmed configuration and used the following:
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:name.pfx
server.ssl.key-store-password=password
without using SSL of actuator: management.server.ssl.xxx configuration
Without SSL the following configurations to configure acceptors and selectors work fine.
server.jetty.acceptors=4
server.jetty.selectors=32
But when I enable SSL , then this configuration for Jetty in Spring Boot doesnt work. Tried using
jetty.ssl.acceptors=4
jetty.ssl.selectors=32
I am using Spring Boot with Embedded Jetty. Everytime it runs it configures 1 Acceptor in SSL mode. Any help is appreciated.
I'm developing a webapplication with Spring-boot using embedded tomcat.
One of the requirements of this app is 2-way SSL (clientAuth).
Enabling ClientAuth is easy enough however we also like to use spring-boot Actuator for management of the app on a different port without clientAuth.
Is there is a clean way to do this?
(Disabling SSL on the actuator endpoints would also be enough)
According to latest spring docs, you can use
management.server.port=8080
management.server.ssl.enabled=false
in the properties to configure the management ports. see production-ready-management-specific-ssl in the spring boot doc for more options.