Configure ciphers in WSO2 Servers to establish secure connections.

Cipher suites are encryption algorithms which are used to establish secure communication between host and the client. However cipher suites can be classified in to different categories based on the level of security they provide. Some ciphers are capable of providing better security compared to others. So sometimes you will need to customize the ciphers that your server should support in order to have a better secure connection.

These supported ciphers can be given to any wso2 server. To test the supported ciphers, first download TestSSLServer.jar from here http://www.bolet.org/TestSSLServer/TestSSLServer.jar. It is a command line tool which contacts a SSL/TLS server and provide information on supported protocols and supported cipher suites. 

Then start a WSO2 server and normally server will start from port 9443.

Go to TestSSLServer.jar location from command line and list supported protocols and ciphers using this command.
java -jar TestSSLServer.jar localhost 9443

Then you can see a list like this.

Then again shut down the server and go to <product-home>/repository/conf/tomcat folder and open catalina-server.xml. Find the relevant connector configuration with SSL/TLS configurations. Add another field as ciphers and give preferred cipher list in a comma separated manner.

EX:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 

port="9443"  

bindOnInit="false" 

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"  

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"

Here I have given only two ciphers.

Then again start the server and list supported protocols. There you can see only the given ciphers are supported by the server.

Server will accept requests from clients supporting these given protocols. If client does not support given sslEnabledProtocols or ciphers, server will not establish a secure client/server connection.