Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 13/07/2021 11:03, jean-frederic clere wrote: On 09/07/2021 18:40, Rainer Jung wrote: Hi Jean-Frederic, how do you make sure, that your tests actually land in the correct SSLHost? You are using the same server certificate, so a check on the client side might not be easy. I would find a test more convincing, if the three TLS hosts would use three different certificates and you could check on the TLS client, that it actually gets the right server certificate. Yes I have retested with 3 different certificates localhost gets the localhost certificate and the TLSv1.1 protocol server1 gets the server1 certificate but the TLSv1.1 protocol server2 gets the server2 certificate but the TLSv1.1 protocol... Use nio/nio2 the protocol is the expected one. https://github.com/apache/tomcat-native/pull/10 the fix for it. Best regards, Rainer Am 09.07.2021 um 15:33 schrieb jean-frederic clere: On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 18:40, Rainer Jung wrote: Hi Jean-Frederic, how do you make sure, that your tests actually land in the correct SSLHost? You are using the same server certificate, so a check on the client side might not be easy. I would find a test more convincing, if the three TLS hosts would use three different certificates and you could check on the TLS client, that it actually gets the right server certificate. Yes I have retested with 3 different certificates localhost gets the localhost certificate and the TLSv1.1 protocol server1 gets the server1 certificate but the TLSv1.1 protocol server2 gets the server2 certificate but the TLSv1.1 protocol... Use nio/nio2 the protocol is the expected one. Best regards, Rainer Am 09.07.2021 um 15:33 schrieb jean-frederic clere: On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Hi Jean-Frederic, how do you make sure, that your tests actually land in the correct SSLHost? You are using the same server certificate, so a check on the client side might not be easy. I would find a test more convincing, if the three TLS hosts would use three different certificates and you could check on the TLS client, that it actually gets the right server certificate. Best regards, Rainer Am 09.07.2021 um 15:33 schrieb jean-frederic clere: On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 15:15, Christopher Schultz wrote: Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and .../> are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... The configuration is something like: +++ +++ and I have the 3 corresponding -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Jean-Ferderic, On 7/9/21 07:55, jean-frederic clere wrote: On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Can you post a sample config? I assume you mean: 1. Define two , configure for TLS a. One attempting to use e.g. only TLSv1 b. One attempting to use e.g. only TLSv1.2 2. Run a protocol-checker against both hosts Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2? -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 12:38, Mark Thomas wrote: On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. Yes. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and are likely to be required as the are configured separately. Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
On 09/07/2021 11:08, jean-frederic clere wrote: Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically. Just as a reminder, both elements and are likely to be required as the are configured separately. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Hi, I think we need the same fix in tomcat or I missed something? If we need it I will work on it next week ;-) -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org