RE: Problem enabling SSLv3 in Tomcat 8.5.15
> Hi Mark, > > When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? > (This feature is critical for our product and is needed ASAP.) Releases are typically monthly. We've had a patch of regressions in releases which has delayed things for the July release. The August release vote passed yesterday and I expect to be making the formal announcement later today. Mark -- Thanks Mark, FYI, I've tested and verified SSLv3 works in Tomcat 8.5.20. I'm a happy camper. :) Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 21, 2017 2:31 PM To: Tomcat Users List Subject: Re: Problem enabling SSLv3 in Tomcat 8.5.15 On 21/06/17 19:04, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during > the refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting > me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. > > Mark > -- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) > in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), > I could have saved days of research and experimentation. :-( SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark -- Hi Mark, When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? (This feature is critical for our product and is needed ASAP.) Thank you, Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
>> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during > the refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting > me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. > > Mark > -- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) > in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), > I could have saved days of research and experimentation. :-( SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark That is great news, thank you Mark! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
Marc, On 6/21/17 3:30 PM, Marc Dorsa wrote: > Marc, > > On 6/21/17 2:04 PM, Marc Dorsa wrote: >> Thank you Mark for clarifying that SSLv3 is *not* supported (at >> all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat >> docs), I could have saved days of research and experimentation. :-( > http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat > > ? > > - -chris - > > Hi Chris, > > Very funny :) , however, the articles out there on the Web re: > this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, > all suggest fairly simple steps to enable SSLv3 in Tomcat (after > first enabling it in the Java 8 JVM). I didn't see any information > or comments stating that SSLv3 was permanently *disabled* starting > with Tomcat 8.5 (as Mark Thomas just suggested). If you believe > what I just stated is not correct, please clue me in! You're right, but, prior to 8.5 the release, the instructions were straightforward. Having tried them and finding it not working, you could have come directly to the users@ mailing list and asked your question. As you see, we are fairly responsive around here :) (I'll update my answer on SO to indicate that 8.5 and 9.0 are a little different right now.) - -chris Yes indeed. :)
RE: Problem enabling SSLv3 in Tomcat 8.5.15
Marc, On 6/21/17 2:04 PM, Marc Dorsa wrote: > Thank you Mark for clarifying that SSLv3 is *not* supported (at > all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat > docs), I could have saved days of research and experimentation. > :-( http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat ? - -chris - Hi Chris, Very funny :) , however, the articles out there on the Web re: this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, all suggest fairly simple steps to enable SSLv3 in Tomcat (after first enabling it in the Java 8 JVM). I didn't see any information or comments stating that SSLv3 was permanently *disabled* starting with Tomcat 8.5 (as Mark Thomas just suggested). If you believe what I just stated is not correct, please clue me in! Thanks, Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
> Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. The docs need to be updated to reflect that. Also the migration guide. I've done some svn archaeology and this change was introduced during the refactoring that added support for SNI, ALPN and multiple certificates. Originally, the removal of SSLv2 and SSLv3 was only for the default protocols (as it currently is in 8.0.x and earlier). During the refactoring, the filtering effectively switched to applying to the supported protocols. A warning is logged during start-up that an unsupported protocol has been requested. Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM used also supports it. Given the inherent insecurities in SSLv3, I don't like the message re-enabling sends. On the other hand, it drives me mad when software blocks something because it thinks it knows best rather then letting me judge the risk and make the decision for myself. I'm therefore leaning towards allowing SSLv3 to be requested but logging a clear warning if it is. Mark -- Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), I could have saved days of research and experimentation. :-( Marc
RE: Problem enabling SSLv3 in Tomcat 8.5.15
On 6/20/2017 4:34 PM, Marc Dorsa wrote: > Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! > Marc > > -- > Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47: > shutdown="SHUTDOWN"> > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" " > ciphers="SSL_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WIT H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/.keystore" > > > > unpackWARs="true" autoDeploy="true"> > > className="org.apache.naming.resources.FileDirContext" allowLinking="true" > docBase="" /> > > > > > > > Here are the scan results showing that SSLv3 is indeed enabled (and our > 3rd-party component works correctly): > # ./cipherscan MyHostName:443 > prio ciphersuite protocolspfs_keysize > 1 DHE-DSS-AES128-SHASSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > 2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > > -- > And here is the server.xml file that, unfortunately, does *not* enable SSLv3 > for Tomcat 8.5.15: > shutdown="SHUTDOWN"> > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" "> > ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, > SSL_DHE_RSA_WITH_DES_CBC_SHA"> > certificateKeystoreType="JKS" certificateKeystorePassword="changeit" /> > > > > > unpackWARs="true" autoDeploy="true"> > > > > > > > > > Here are the scan results showing that SSLv3 is *not* enabled (and our > 3rd-party component does *not* work): > # ./cipherscan MyHostName:443 > prio ciphersuite protocols pfs_keysize > 1 DHE-DSS-AES128-SHATLSv1,TLSv1.1,TLSv1.2 DH,2048bits > 2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits > > Here is Tomcat's logging at startup (notice the SSLv3 warning): > .. > Tomcat started. > -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol > init > INFO: Initializing ProtocolHandler ["http-nio-80"] Jun 20, 2017 > 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool > getSharedSelector > INFO: Using a shared sel
Problem enabling SSLv3 in Tomcat 8.5.15
Hi Tomcat Users, I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A 3rd-party component of our product requires SSLv3 and there's no getting around it!) Our Tomcat is running on a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131. Note that I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly enabled when running our existing Tomcat 7.0.47. My guess is that I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig element to include "SSLv3" should do the job. Thank you in advance for any help offered! Marc -- Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47: Here are the scan results showing that SSLv3 is indeed enabled (and our 3rd-party component works correctly): # ./cipherscan MyHostName:443 prio ciphersuite protocolspfs_keysize 1 DHE-DSS-AES128-SHASSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits -- And here is the server.xml file that, unfortunately, does *not* enable SSLv3 for Tomcat 8.5.15: Here are the scan results showing that SSLv3 is *not* enabled (and our 3rd-party component does *not* work): # ./cipherscan MyHostName:443 prio ciphersuite protocols pfs_keysize 1 DHE-DSS-AES128-SHATLSv1,TLSv1.1,TLSv1.2 DH,2048bits 2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits Here is Tomcat's logging at startup (notice the SSLv3 warning): .. Tomcat started. -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-nio-80"] Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector INFO: Using a shared selector for servlet write/read Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["https-jsse-nio-443"] Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[SSLv3]] .. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org