Buy from the highest-rated provider   Buy DigiCert Certificate x

How to Disable Weak Ciphers and SSL 2.0 in Tomcat

In order for merchants to handle credit cards, the Payment Card Industry Data Security Standard (PCI-DSS) requires web sites to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.” That means you must use SSL on your web site if your visitors are transferring their credit card numbers to your server. You also need to disable weak ciphers or you will fail a PCI compliance scan.

Tomcat has several weak ciphers enabled by default. If you have a Tomcat server (version 4.1.32 or later), you can disable SSL 2.0 and disable weak ciphers by following these instructions. First, verify that you have weak ciphers or SSL 2.0 enabled. You can do this using an OpenSSL command or by just entering your public domain name at

Next, open your server.xml file add the following to your SSL connector:


For example, the completed connector would look like this:

<connector port="443" maxhttpheadersize="8192" address="" enablelookups="false" disableuploadtimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" keystoreFile="mydomain.key" keystorePass="password" truststoreFile="mytruststore.truststore" truststorePass="password"/>;

More resources:

Originally posted on Sat Dec 11, 2010



If you are trying to disable a specific SSL or TLS version in Tomcat 6 and you are unable to do so using “sslEnabledProtocols”, check your version of Tomcat 6. Tomcat versions older than 6.0.38 should use “sslProtocols” not “sslEnabledProtocols” or “sslProtocol”. I found it unnecessary to specify “sslProtocol” or “sslEnabledProtocols” with “sslProtocols”. Using “sslProtocols” by itself resolved my problem.

I hope this helps!


Your article is usefull for me, thanks. In the example i see SSL, but in the first code snippet there is are SSLv3. Think, this is typo - SSLv3 is working for me.


Be careful when using these instructions, since some of the quotation marks in the solution are the wrong characters.


should be

Notice the difference in the slant on the quotes. I recommend deleting quotes and retyping them manually.


We tested these ciphers against SSL Labs' "SSL Server Test" tool ( According to the results, the following ciphers are weak, resulting in a "C" grade.


We removed those two ciphers, and moved up to a "B" grade.

The remaining issue is vulnerability to the "BEAST" attack, which is not possible to mitigate with the Java SSL implementation.

Our final connector tag looks like this:

<connector protocol="HTTP/1.1" scheme="https" secure="true" uriencoding="UTF-8" address="" compressablemimetype="text/html,text/xml,application/json" compression="on" maxthreads="150" nocompressionuseragents="gozilla, traviata" port="443" sslenabled="true" sslprotocol="SSLv3" clientauth="false" keystorefile="/opt/rio/keystore.jks" keystorepass="%yay%ssl5" keyalias="privatekey" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>



how can I disable Cipher Suites like "secp160k1 (161 bits)" , "P-192 (prime192v1) (192 bits)", "B-163 (sect163r2) (163 bits)"


Thanks for pointing that out, Alex. I fixed the quotes.

Gang LI(2014-12-13)

How to Disable SSL 3.0 in Tomcat?


In 2014, specified in this article SSL Weak Ciphers is obsolete
You need use

To use the 256 bit AES ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files. However, 128 bit encryption should be enough for daily use.


Just using sslProtocol="TLS" along with the cipher list in this article does not appear to disable SSL 3.0 in Tomcat 6. At least not according to checks at https://ssltools.websecurit... and


The Tomcat6 documentation does indeed state that one has to use the sslEnabledProtcols attribute of the Connector tag to define protocols that will be used.

Unfortunately SSL3 is not disabled in Tomcat6 - or at least Symantec's test site says it is not - when protocols are defined as "TLSv1,TLSv1.1,TLSv1.2" That is as it "should be" according to Oracle's documentation.

Restricting the ciphers as suggested is definitely a good idea but does not in and of itself disable SSL v3 and in fact, again trusting Symantec, using only the suggested ciphers does not stop SSL v3.


Digging deeper into Tomcat6 docs suggests that when running with Java SE6 the "TLSv1,TLSv1.1" protocols are supported if the SSL provider is JSSE and if using Java SE7 or later TLSV1.2 is supported too. That can be confirmed at

Unfortunately, all that digging also reveals that all variants of TLSv1* also allow SSL v3.

Default Admin User(2014-12-13)

Thanks, Anders. I updated the connector with that information.

Default Admin User(2014-12-13)

Thanks, Steve. I found something else but I don't have a machine to test it on. Can you verify that adding sslProtocols="TLSv1,TLSv1.1,TLSv1.2" works?


Using Tomcat 7, we disabled SSLv3 (and weak ciphers) using the following connector params:



Note that using sslProtocols parameter did NOT work for us.


For those of you on Tomcat 6, just substitute "sslEnabledProtocols" parameter with "sslProtocols", such as:





You should just need to update the "sslProtocol" to use "TLS" instead of "SSL". I have updated the instructions to reflect this.


Thanks for this. I was able to solve the "Server has a weak ephemeral Diffie-Helman public key" error in Chrome by updating the ciphers. (although I didn't enable the ones you have here)


Worked like charm!! Thanks a ton!!