RE: Problem enabling SSLv3 in Tomcat 8.5.15
> Hi Mark, > > When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? > (This feature is critical for our product and is needed ASAP.) Releases are typically monthly. We've had a patch of regressions in releases which has delayed things for the July release. The August release vote passed yesterday and I expect to be making the formal announcement later today. Mark -- Thanks Mark, FYI, I've tested and verified SSLv3 works in Tomcat 8.5.20. I'm a happy camper. :) Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem enabling SSLv3 in Tomcat 8.5.15
> Hi Mark, > > When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? > (This feature is critical for our product and is needed ASAP.) Releases are typically monthly. We've had a patch of regressions in releases which has delayed things for the July release. The August release vote passed yesterday and I expect to be making the formal announcement later today. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 21, 2017 2:31 PM To: Tomcat Users List Subject: Re: Problem enabling SSLv3 in Tomcat 8.5.15 On 21/06/17 19:04, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during > the refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting > me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. > > Mark > -- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) > in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), > I could have saved days of research and experimentation. :-( SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark -- Hi Mark, When can we expect a Tomcat 8.5.x release with SSLv3 support re-enabled? (This feature is critical for our product and is needed ASAP.) Thank you, Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
>> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during > the refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting > me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. > > Mark > -- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) > in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), > I could have saved days of research and experimentation. :-( SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark That is great news, thank you Mark! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem enabling SSLv3 in Tomcat 8.5.15
On 21/06/17 19:04, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A >> 3rd-party component of our product requires SSLv3 and there's no getting >> around it!) Our Tomcat is running on a custom Linux distribution based on >> Centos 7, and we're running Java 1.8.0_131. Note that I've already (and >> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is >> correctly enabled when running our existing Tomcat 7.0.47. My guess is that >> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat >> documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I >> read it, seems to say that simply setting the "protocols" attribute of the >> SSLHostConfig element to include "SSLv3" should do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. > > The docs need to be updated to reflect that. Also the migration guide. > > I've done some svn archaeology and this change was introduced during the > refactoring that added support for SNI, ALPN and multiple certificates. > Originally, the removal of SSLv2 and SSLv3 was only for the default > protocols (as it currently is in 8.0.x and earlier). During the > refactoring, the filtering effectively switched to applying to the > supported protocols. > > A warning is logged during start-up that an unsupported protocol has > been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM > used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when software > blocks something because it thinks it knows best rather then letting me > judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but logging > a clear warning if it is. > > Mark > -- > > Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in > Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), I could > have saved days of research and experimentation. :-( SSLv3 will be available (not by default and using it will result in a warning in the logs) from 9.0.0.M23 and 8.5.17 onwards (i.e. not the releases currently in progress but the next ones in around a month's time). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
Marc, On 6/21/17 3:30 PM, Marc Dorsa wrote: > Marc, > > On 6/21/17 2:04 PM, Marc Dorsa wrote: >> Thank you Mark for clarifying that SSLv3 is *not* supported (at >> all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat >> docs), I could have saved days of research and experimentation. :-( > http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat > > ? > > - -chris - > > Hi Chris, > > Very funny :) , however, the articles out there on the Web re: > this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, > all suggest fairly simple steps to enable SSLv3 in Tomcat (after > first enabling it in the Java 8 JVM). I didn't see any information > or comments stating that SSLv3 was permanently *disabled* starting > with Tomcat 8.5 (as Mark Thomas just suggested). If you believe > what I just stated is not correct, please clue me in! You're right, but, prior to 8.5 the release, the instructions were straightforward. Having tried them and finding it not working, you could have come directly to the users@ mailing list and asked your question. As you see, we are fairly responsive around here :) (I'll update my answer on SO to indicate that 8.5 and 9.0 are a little different right now.) - -chris Yes indeed. :)
Re: Problem enabling SSLv3 in Tomcat 8.5.15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Marc, On 6/21/17 3:30 PM, Marc Dorsa wrote: > Marc, > > On 6/21/17 2:04 PM, Marc Dorsa wrote: >> Thank you Mark for clarifying that SSLv3 is *not* supported (at >> all) in Tomcat 8.5+. Wow, if only I had known that (via the >> Tomcat docs), I could have saved days of research and >> experimentation. :-( > http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat > > ? > > - -chris - > > Hi Chris, > > Very funny :) , however, the articles out there on the Web re: > this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, > all suggest fairly simple steps to enable SSLv3 in Tomcat (after > first enabling it in the Java 8 JVM). I didn't see any information > or comments stating that SSLv3 was permanently *disabled* starting > with Tomcat 8.5 (as Mark Thomas just suggested). If you believe > what I just stated is not correct, please clue me in! You're right, but, prior to 8.5 the release, the instructions were straightforward. Having tried them and finding it not working, you could have come directly to the users@ mailing list and asked your question. As you see, we are fairly responsive around here :) (I'll update my answer on SO to indicate that 8.5 and 9.0 are a little different right now.) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKym8ACgkQHPApP6U8 pFiWYRAAjDZSqhFLWi2+eEFgMqzrC+WhK3CznlCtNbtkNiVq6ErxZFCb0MaMGhIl PEoxpyG7XgG7Dd/VAXYzDO/c6uHq5eSm2rz4ToEkEVSbcgaWV1w1FBN8KV91Eocg QXN1JEObEQ95Tkgh1Xq8cXe3fRFDdQ+F7qRD+zz7BgrrVhRU9RNrwDrgFWVIXpI5 OoimdN8FHWo6v+BlSTmEayiLslpr7SELy32nPvHwrqIiZbsQaWqtm9uI/6PJ2mFl vUx0LaEiT2humPLOAUYF6WSeo/bKl6ARbKTKJbo5kWMDN9M76Thqx1/FR3t/AXUl nPtbc0DlzxAVBJ7PboouCjm32f9OFyR670Psk21aE2JP5VLxy9+4kPAr8FxS4YsR O3s/ua9GY0B7vfJck0l6qxqygOCc81V5VUM8Vub4bj1HsWqRTbiencMwg0IHyFbm 65In0cn4Y4dvVPFiMEv/ZisCmSI1maalSuyCuql4efmcLUY7OlOEJC7F574ZLV1T Bsa1msLdRT2RDcLCr7dxGORc+CslUYqrORtz80IlaYX0EiHn0ftrxPDNtbmyzhct B8HkMxLopFGnoPua7wbuLKY8PNv/a9jfPrSaYzrb2PewP2kntOrDZDdI4JHDfAel TPigpC5gzk08tgQmSZYqDfO8GVGqt1dV/5DOr3so08ESB/n/kbs= =7uzS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
Marc, On 6/21/17 2:04 PM, Marc Dorsa wrote: > Thank you Mark for clarifying that SSLv3 is *not* supported (at > all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat > docs), I could have saved days of research and experimentation. > :-( http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat ? - -chris - Hi Chris, Very funny :) , however, the articles out there on the Web re: this issue (stackoverflow, etc.), including the Tomcat 8.5 docs, all suggest fairly simple steps to enable SSLv3 in Tomcat (after first enabling it in the Java 8 JVM). I didn't see any information or comments stating that SSLv3 was permanently *disabled* starting with Tomcat 8.5 (as Mark Thomas just suggested). If you believe what I just stated is not correct, please clue me in! Thanks, Marc - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem enabling SSLv3 in Tomcat 8.5.15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Marc, On 6/21/17 2:04 PM, Marc Dorsa wrote: > Thank you Mark for clarifying that SSLv3 is *not* supported (at > all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat > docs), I could have saved days of research and experimentation. > :-( http://lmgtfy.com/?q=how+to+enable+sslv3+in+tomcat ? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKxt0ACgkQHPApP6U8 pFhNDQ/+Pdih3SXZs00VWITRVuv0ur2qNmF3dZt0IivJZlN+iWteQ2+SjAvZGz/d z6tFE1ne28RuA7LRZyqsnU96sA5w/Y8AZrEBADQWiYmg9UVJOJAowrJBb63T3PLC C/j8Yf+65lUdxd1pNiC/WFTSKTRPvA8cAl5+5W+LBDmXujziNLByzHZlKuIJU3vx GXlFGum5/O0SwZeSvd2pEkaDH+m62adHEwCcYoX/MwBUKOpQqj3XJh/4WjSNIzMX +pt+wlvkb7VZAG9VSCHft2r6wVx2RaUhVYvKNzMdsRzTt8ASVbTx5TmyRgGegM7W RUbFyVq2RCSPaUCDZBnvV6XIORPxgPsKaxD+rMGHujeqhowVSPmwqQUYF8Z5PN4C r4m3g6z/fC4eflNnASRScQuBLAPWgHYJTuz54nNyaDhBV0NRvN1nOUG15ECyG/6o mGfKjQS91F/839+VGflqQYvJK7IY+CFqpayrGJGX1jKdjE+o8fjnx6y5fdxQuT33 oxklT40hTx7rrRrjY2K897WKhhF8lgEhoQSkuxPuV8+ESFyy6kt3IEMpNBEq/ut5 y43BXkkTdHGvdGTMmnDdBfXybdET8M/f3wWKB+UCsDH4Moe9Imix3/+FEEFRglXr HhwreIOZzRCVvTFZNKWB0CethD78ga0Z2RWmtC1mBa1AP29bIGg= =M2zr -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
> Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. The docs need to be updated to reflect that. Also the migration guide. I've done some svn archaeology and this change was introduced during the refactoring that added support for SNI, ALPN and multiple certificates. Originally, the removal of SSLv2 and SSLv3 was only for the default protocols (as it currently is in 8.0.x and earlier). During the refactoring, the filtering effectively switched to applying to the supported protocols. A warning is logged during start-up that an unsupported protocol has been requested. Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM used also supports it. Given the inherent insecurities in SSLv3, I don't like the message re-enabling sends. On the other hand, it drives me mad when software blocks something because it thinks it knows best rather then letting me judge the risk and make the decision for myself. I'm therefore leaning towards allowing SSLv3 to be requested but logging a clear warning if it is. Mark -- Thank you Mark for clarifying that SSLv3 is *not* supported (at all) in Tomcat 8.5+. Wow, if only I had known that (via the Tomcat docs), I could have saved days of research and experimentation. :-( Marc
Re: Problem enabling SSLv3 in Tomcat 8.5.15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 6/21/17 5:04 AM, Mark Thomas wrote: > On 21/06/17 00:34, Marc Dorsa wrote: >> Hi Tomcat Users, >> >> I am having a difficult time trying to enable SSLv3 in Tomcat >> 8.5.15. (A 3rd-party component of our product requires SSLv3 and >> there's no getting around it!) Our Tomcat is running on a custom >> Linux distribution based on Centos 7, and we're running Java >> 1.8.0_131. Note that I've already (and correctly) enabled SSLv3 >> support in the JVM and verified that SSLv3 is correctly enabled >> when running our existing Tomcat 7.0.47. My guess is that I have >> an incorrect server.xml configuration (for Tomcat 8), but the >> Tomcat documentation >> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Suppor t) >> as I read it, seems to say that simply setting the "protocols" >> attribute of the SSLHostConfig element to include "SSLv3" should >> do the job. >> >> Thank you in advance for any help offered! > > 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. It's maybe worth noting that no shipped version of Sun/Oracle Java has ever implemented SSLv2, but I believe some 3rd-party libraries have/can support parts of that standard... mostly for probing to see if it's enabled. Nobody should have been building OpenSSL with SSLv2 in it for ... decades, now. But specific code to always disable SSLv2 is a Good Thing. > The docs need to be updated to reflect that. Also the migration > guide. > > I've done some svn archaeology and this change was introduced > during the refactoring that added support for SNI, ALPN and > multiple certificates. Originally, the removal of SSLv2 and SSLv3 > was only for the default protocols (as it currently is in 8.0.x and > earlier). During the refactoring, the filtering effectively > switched to applying to the supported protocols. > > A warning is logged during start-up that an unsupported protocol > has been requested. > > Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the > JVM used also supports it. > > Given the inherent insecurities in SSLv3, I don't like the message > re-enabling sends. On the other hand, it drives me mad when > software blocks something because it thinks it knows best rather > then letting me judge the risk and make the decision for myself. > > I'm therefore leaning towards allowing SSLv3 to be requested but > logging a clear warning if it is. +1 Re-enabling SSLv3 in with a current JVM requires a system property to be set, anyway, so there are two barriers to re-enabling SSLv3 on a current-setup. I think it's reasonable to allow people who are willing to manually re-enable SSLv3 to go ahead and have their insecure service. :/ - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAllKhWcACgkQHPApP6U8 pFjShw/+Pe5eQ0yqPaX73IswPAiqJX/zehFv8ZUBKjtxJCrzJeCjgJxOAIeP1nSS v/BGrYY0mHFA3lVad7jI7SGdSN2bWwr4V+4rFadjtJBQ0JqBJBTGm9JJDTQmpwWW /YeCvqDdwefxtM7eZM2AwrOBT1oWyFROB/dK9beHQ4MHtmlRovrOlLLpQZkNCdIX svNdTWEHjtXo98YmJUwvvAS5xgrn4pWsaSXpSCBRIpGl5RuS8JTqLoUCTaTYKkGf TXc9pF65vAjWRNyUuOV8H6JMyKZ2dCyzQl4SixPOwJ2urSiTFlWUcRjCHNU7PnXN BfCNiyiYmSUZR+qOxu0np6V56je/4HcbBpt7zCd0cjpkxRehw7fnJBNw6I0iL+ei 3PhrubFzJNs5pL7Iue0G29CxZJgLIQIg88dXaqgknGLw8eTCG6mwpwL9jp0ZF1xZ YyB8K42g5K+VYCb3Eg83eKplmp6F3F/7PQhwMlJn1jUcd+lVZozSIScBOmhyDu8+ pji1Lbc2y8QqqQRmn/V87naqSHdsE/l4+hFYiN6Z015QdiExzRntf33KUxVhoOqB H+ddK1HoaGF4n1iSXe0AaibwVUCHZGOz/Q6Cbv/+Wean9ZD13o1CXpdKR+2oFxsz oWQuU0wQKR1q3rCltoO314l0fmH8VcEilI0Wr7zyZ2DJ5HSlPEs= =kCAy -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem enabling SSLv3 in Tomcat 8.5.15
On 21/06/17 00:34, Marc Dorsa wrote: > Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! 8.5.x and 9.0.x are hard-coded not to allow SSLv2 or SSLv3. The docs need to be updated to reflect that. Also the migration guide. I've done some svn archaeology and this change was introduced during the refactoring that added support for SNI, ALPN and multiple certificates. Originally, the removal of SSLv2 and SSLv3 was only for the default protocols (as it currently is in 8.0.x and earlier). During the refactoring, the filtering effectively switched to applying to the supported protocols. A warning is logged during start-up that an unsupported protocol has been requested. Tomcat 8.0.x and 7.0.x will continue to support SSLv3 assuming the JVM used also supports it. Given the inherent insecurities in SSLv3, I don't like the message re-enabling sends. On the other hand, it drives me mad when software blocks something because it thinks it knows best rather then letting me judge the risk and make the decision for myself. I'm therefore leaning towards allowing SSLv3 to be requested but logging a clear warning if it is. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem enabling SSLv3 in Tomcat 8.5.15
On 6/20/2017 4:34 PM, Marc Dorsa wrote: > Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! > Marc > > -- > Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47: > shutdown="SHUTDOWN"> > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" " > ciphers="SSL_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WIT H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/.keystore" > > > > unpackWARs="true" autoDeploy="true"> > > className="org.apache.naming.resources.FileDirContext" allowLinking="true" > docBase="" /> > > > > > > > Here are the scan results showing that SSLv3 is indeed enabled (and our > 3rd-party component works correctly): > # ./cipherscan MyHostName:443 > prio ciphersuite protocolspfs_keysize > 1 DHE-DSS-AES128-SHASSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > 2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > > -- > And here is the server.xml file that, unfortunately, does *not* enable SSLv3 > for Tomcat 8.5.15: > shutdown="SHUTDOWN"> > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" "> > ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, > SSL_DHE_RSA_WITH_DES_CBC_SHA"> > certificateKeystoreType="JKS" certificateKeystorePassword="changeit" /> > > > > > unpackWARs="true" autoDeploy="true"> > > > > > > > > > Here are the scan results showing that SSLv3 is *not* enabled (and our > 3rd-party component does *not* work): > # ./cipherscan MyHostName:443 > prio ciphersuite protocols pfs_keysize > 1 DHE-DSS-AES128-SHATLSv1,TLSv1.1,TLSv1.2 DH,2048bits > 2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits > > Here is Tomcat's logging at startup (notice the SSLv3 warning): > .. > Tomcat started. > -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol > init > INFO: Initializing ProtocolHandler ["http-nio-80"] Jun 20, 2017 > 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool > getSharedSelector > INFO: Using a shared selector for servlet write/read Jun 20, 2017 > 3:38:06 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["https-jsse-nio-443"] Jun 20, 2017 > 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled > WARNING: Some of the specified [protocols] are not supported by the > SSL engine and have been skipped: [[SSLv3]] .. I've not done this so I'm sure that someone will quickly correct me if I'm wrong. I'm basing my answer from the following mailing list thread: http://marc.info/?t=14933046478&r=1&w=2 It seems from the logs that you are using the https-jsse-nio connector. It appears that you should list all of your desired protocols with a plus separating them (and no comma). Something like this (if I'm reading Mark Thomas's answer
Re: Problem enabling SSLv3 in Tomcat 8.5.15
Marc, On 6/20/2017 4:34 PM, Marc Dorsa wrote: > Hi Tomcat Users, > > I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15. (A > 3rd-party component of our product requires SSLv3 and there's no getting > around it!) Our Tomcat is running on a custom Linux distribution based on > Centos 7, and we're running Java 1.8.0_131. Note that I've already (and > correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is > correctly enabled when running our existing Tomcat 7.0.47. My guess is that > I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat > documentation > (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I > read it, seems to say that simply setting the "protocols" attribute of the > SSLHostConfig element to include "SSLv3" should do the job. > > Thank you in advance for any help offered! > Marc > > -- > Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47: > > > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" " > ciphers="SSL_RSA_WITH_RC4_128_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WIT > H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, > SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/etc/.keystore" > > > > unpackWARs="true" autoDeploy="true"> > > className="org.apache.naming.resources.FileDirContext" allowLinking="true" > docBase="" /> > > > > > > > Here are the scan results showing that SSLv3 is indeed enabled (and our > 3rd-party component works correctly): > # ./cipherscan MyHostName:443 > prio ciphersuite protocolspfs_keysize > 1 DHE-DSS-AES128-SHASSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > 2 EDH-DSS-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits > > -- > And here is the server.xml file that, unfortunately, does *not* enable SSLv3 > for Tomcat 8.5.15: > > > > redirectPort="443" server=" " > acceptCount="100" connectionTimeout="66" > disableUploadTimeout="true" /> > enableLookups="false" acceptCount="100" > scheme="https" secure="true" connectionTimeout="66" > disableUploadTimeout="true" server=" "> > ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, > SSL_DHE_RSA_WITH_DES_CBC_SHA"> > certificateKeystoreType="JKS" certificateKeystorePassword="changeit" /> > > > > > unpackWARs="true" autoDeploy="true"> > > > > > > > > > Here are the scan results showing that SSLv3 is *not* enabled (and our > 3rd-party component does *not* work): > # ./cipherscan MyHostName:443 > prio ciphersuite protocols pfs_keysize > 1 DHE-DSS-AES128-SHATLSv1,TLSv1.1,TLSv1.2 DH,2048bits > 2 EDH-DSS-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits > > Here is Tomcat's logging at startup (notice the SSLv3 warning): > .. > Tomcat started. > -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["http-nio-80"] > Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool > getSharedSelector > INFO: Using a shared selector for servlet write/read > Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init > INFO: Initializing ProtocolHandler ["https-jsse-nio-443"] > Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled > WARNING: Some of the specified [protocols] are not supported by the SSL > engine and have been skipped: [[SSLv3]] > .. I've not done this so I'm sure that someone will quickly correct me if I'm wrong. I'm basing my answer from the following mailing list thread: http://marc.info/?t=14933046478&r=1&w=2 It seems from the logs that you are using the https-jsse-nio connector. It appears that you should list all of your desired protocols with a plus separating them (and no comma). Something like this (if I'm reading Mark Thomas's answer correctly): protocols="+SSLv3+TLSv