setting security level to OWASP Cipher String 'A'

Change-Id: I08562d62fbed8e490f6c9211aa2f1564246e713a
Issue-ID: VID-444
Signed-off-by: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com>

diff --git a/epsdk-app-onap/src/main/resources/server.xml b/epsdk-app-onap/src/main/resources/server.xml
index 2a1bab5..a7cd9c7 100644 (file)
--- a/epsdk-app-onap/src/main/resources/server.xml
+++ b/epsdk-app-onap/src/main/resources/server.xml
@@ -84,49 +84,17 @@
 
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
       maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
-      clientAuth="false" sslProtocol="TLS" keyAlias="${vid.keyalias}"
+      clientAuth="false" sslProtocol="TLSv1.2" keyAlias="${vid.keyalias}"
       keystoreFile="${vid.keystore.filename}" keystorePass="${vid.keystore.password}"
       useServerCipherSuitesOrder="true"
-      ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
-                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
-                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
-                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
-                TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
-                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
-                TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
-                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
-                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
-                TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
-                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-                TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-                TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-                TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-                TLS_ECDH_RSA_WITH_RC4_128_SHA,
-                TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+      ciphers=" TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+                TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-                TLS_RSA_WITH_AES_256_GCM_SHA384,
-                TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
-                TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-                TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-                TLS_RSA_WITH_AES_128_GCM_SHA256,
-                TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-                TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-                TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
-                TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
-                TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-                TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
-                TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
-                TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
+                TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+                TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
     />