Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 19/07/2020 13:55, Christopher Schultz wrote: > Mark, > > On 7/18/20 10:01, Mark Thomas wrote: >> On 17/07/2020 21:47, James H. H. Lampert wrote: >>> Running two connectors seems to work just fine, but I'm having >>> trouble getting one of them to only take TLS 1.2 >>> >>> In reply to my query: >>> > Given all this, is it possible to (1) have Tomcat listen on > two separate HTTPS ports, and (2) have one of the ports > require TLS 1.2, but the other accept something our AS/400 > can use? >>> >>> On 7/17/20 10:03 AM, Mark Thomas wrote: >>> Yes. You need two Connector elements specifying different ports and different protocols. They should be able to use the same certificate configuration. >>> >>> I just ran a test on our development Amazon EC2 instance, and >>> verified that I could listen on two different ports (existing >>> 8443 and now 7443), and I limited (or so I thought) 8443 (to >>> which I have 443 rerouted through iptables) to TLS 1.2. >>> >>> Except that SSLLabs tells me it's still accepting TLS 1.0 and >>> 1.1! >>> >>> I commented out the connector for 8443 and restarted Tomcat, but >>> it's still giving the same report from SSLLabs. >>> >>> The connector for 8443 in server.xml looks like this (lines >>> truncated): >>> protocol="org.apache.coyote.http1$ compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$ maxThreads="1000" socket.appReadBufSize="1024" socket.app$ keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ clientAuth="false" sslProtocol="TLSv1.2" /> >>> >>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the >>> Tomcat 7 installation on our most security-conscious customer's >>> AS/400; this Tomcat is 8.5. Am I specifying it wrong? > >> I should probably remind myself why this is the way this is. > >> You want: > >> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" > >> And to answer my question above, because that is the way the JSSE >> API has been written. > > We should probably just merge these into a single attribute and "do > the right thing": > > 1. If not specified, do nothing unusual > 2. If the value includes a ",", use it for sslEnabledProtocols, use > "TLS" as sslProtocol > 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols Seems reasonable. > Practically speaking, the only useful value for sslProtocol today is > "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict > sslEnabledProtocols to TLSv1.2 but using the same value for both has > the same effect, of course. > > In the future, if anything other than "TLS" makes sense for > sslProtocol, we can change Tomcat to support that. > > We should also probably have SSLEnabled="true" be the default if any > TLS-related configuration option is used on a connector. That might catch a few folks by surprise but it does seem reasonable. I think there is scope in Tomcat 10 to clean up the TLS configuration a little more. We have a couple of months until Jakarta EE 9 is released so there is time to improve this. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
Mark Thomas and Christopher Schultz wrote: You want: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" And to answer my question above, because that is the way the JSSE API has been written. We should probably just merge these into a single attribute and "do the right thing": 1. If not specified, do nothing unusual 2. If the value includes a ",", use it for sslEnabledProtocols, use "TLS" as sslProtocol 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols Practically speaking, the only useful value for sslProtocol today is "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict sslEnabledProtocols to TLSv1.2 but using the same value for both has the same effect, of course. In the future, if anything other than "TLS" makes sense for sslProtocol, we can change Tomcat to support that. We should also probably have SSLEnabled="true" be the default if any TLS-related configuration option is used on a connector. WDYT? Well, I think (from direct experience) that for Tomcat 7 running on an AS/400, "merge these into a single attribute and 'do the right thing'" *is* how it works, so the entirety of Christopher's suggestion makes perfect sense to me. At any rate, thanks to both of you; it works. Although it does raise the question of whether the observed behavior in Tomcat 7 on an AS/400 is a Tomcat 7 thing or an AS/400 thing. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 7/18/20 10:01, Mark Thomas wrote: > On 17/07/2020 21:47, James H. H. Lampert wrote: >> Running two connectors seems to work just fine, but I'm having >> trouble getting one of them to only take TLS 1.2 >> >> In reply to my query: >> Given all this, is it possible to (1) have Tomcat listen on two separate HTTPS ports, and (2) have one of the ports require TLS 1.2, but the other accept something our AS/400 can use? >> >> On 7/17/20 10:03 AM, Mark Thomas wrote: >> >>> Yes. You need two Connector elements specifying different ports >>> and different protocols. They should be able to use the same >>> certificate configuration. >> >> I just ran a test on our development Amazon EC2 instance, and >> verified that I could listen on two different ports (existing >> 8443 and now 7443), and I limited (or so I thought) 8443 (to >> which I have 443 rerouted through iptables) to TLS 1.2. >> >> Except that SSLLabs tells me it's still accepting TLS 1.0 and >> 1.1! >> >> I commented out the connector for 8443 and restarted Tomcat, but >> it's still giving the same report from SSLLabs. >> >> The connector for 8443 in server.xml looks like this (lines >> truncated): >>> >> protocol="org.apache.coyote.http1$ compression="on" >>> compressionMinSize="2048" noCompressionUserAgents="goz$ >>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >>> clientAuth="false" sslProtocol="TLSv1.2" /> >> >> The 'sslProtocol="TLSv1.2"' clause is copied directly from the >> Tomcat 7 installation on our most security-conscious customer's >> AS/400; this Tomcat is 8.5. Am I specifying it wrong? > > I should probably remind myself why this is the way this is. > > You want: > > sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" > > And to answer my question above, because that is the way the JSSE > API has been written. We should probably just merge these into a single attribute and "do the right thing": 1. If not specified, do nothing unusual 2. If the value includes a ",", use it for sslEnabledProtocols, use "TLS" as sslProtocol 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols Practically speaking, the only useful value for sslProtocol today is "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict sslEnabledProtocols to TLSv1.2 but using the same value for both has the same effect, of course. In the future, if anything other than "TLS" makes sense for sslProtocol, we can change Tomcat to support that. We should also probably have SSLEnabled="true" be the default if any TLS-related configuration option is used on a connector. WDYT? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8UQsgACgkQHPApP6U8 pFhGag/+IjZWCK1XSHsUr51tmTAz9JmK2eIabQsf7fIM3pmjXBCKJqYcsEd6tR// cDAgV/mjA6BRXVpl3D4kCsmp8w8yCghirWXYRj4Qs6aKp3a6KgRsQyB7eDnClfQ0 0ic5pjsd699t1vcBxvwC59drs8HCnzDoEfJu91RyYcMl1s/2UiVG8Fg0k4ztw+GQ abhgdmJILtIe0H8q8t5tOverjAnUXJhfoc0Nxd1FaLFRNHQKS80O9vlXODzz0ngE wDDppmbEI5fcnK1YTp/qJYEQ2Bdn3zvOywWvLeZQYmBEuh0x4wLOQsjFJgwt45uT 3ocIuHAtbqWQOXZ//WzPof91CAIMOPV8nZdBtH5op5RJJpu5dPvnKS73MD/8WZWJ v+YBl9AIrrW/2r+U+h8XfrFpsUNGFwG4pNTE4CtkUdoR+hkcgcX2vSI8zG0OyTuu cwoMcVQsMQPhnMNLIpR/Y+lBce8hf2U8m6Bs5To8EWTclzlY7UuU75vC6SUdP3fv 2ULHtivG9xOiSEX635eiVpQ2U/1vQjH5KugpsdJ1AoiaDUFF+qDFa5fSiqYeBw8z PCuDCyJW89BzCjnbzQH6PKuXE4iRPudsJJ+5fplWwKai3vboR3JX5vUlzczuUfqg FpaOHtHEQ08N7y2NB9KzFe0AdbH8iJ9CY1gwahXgDQ9bQgO9nsY= =qmvC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 17/07/2020 21:47, James H. H. Lampert wrote: > Running two connectors seems to work just fine, but I'm having trouble > getting one of them to only take TLS 1.2 > > In reply to my query: > >>> Given all this, is it possible to (1) have Tomcat listen on two separate >>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the >>> other accept something our AS/400 can use? > > On 7/17/20 10:03 AM, Mark Thomas wrote: > >> Yes. You need two Connector elements specifying different ports and >> different protocols. They should be able to use the same certificate >> configuration. > > I just ran a test on our development Amazon EC2 instance, and verified > that I could listen on two different ports (existing 8443 and now 7443), > and I limited (or so I thought) 8443 (to which I have 443 rerouted > through iptables) to TLS 1.2. > > Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! > > I commented out the connector for 8443 and restarted Tomcat, but it's > still giving the same report from SSLLabs. > > The connector for 8443 in server.xml looks like this (lines truncated): >> > keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >> clientAuth="false" sslProtocol="TLSv1.2" /> > > The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 > installation on our most security-conscious customer's AS/400; this > Tomcat is 8.5. Am I specifying it wrong? I should probably remind myself why this is the way this is. You want: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" And to answer my question above, because that is the way the JSSE API has been written. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 As I said, of course it's a cipher. I said up front that the lines were truncated, in order to fit in an email. I can't imagine why seeing the whole connector would make a difference, but if anybody wants to see it un-truncated, (albeit with the same redactions), it's now also on ServerFault, at https://serverfault.com/q/1025706/498231?sem=2 -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 It is. The lines are truncated at 72 characters for the email. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?
This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256 Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: James H. H. Lampert Sent: Friday, July 17, 2020 3:47 PM To: Tomcat Users List Subject: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled? Running two connectors seems to work just fine, but I'm having trouble getting one of them to only take TLS 1.2 In reply to my query: >> Given all this, is it possible to (1) have Tomcat listen on two >> separate HTTPS ports, and (2) have one of the ports require TLS 1.2, >> but the other accept something our AS/400 can use? On 7/17/20 10:03 AM, Mark Thomas wrote: > Yes. You need two Connector elements specifying different ports and > different protocols. They should be able to use the same certificate > configuration. I just ran a test on our development Amazon EC2 instance, and verified that I could listen on two different ports (existing 8443 and now 7443), and I limited (or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 1.2. Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! I commented out the connector for 8443 and restarted Tomcat, but it's still giving the same report from SSLLabs. The connector for 8443 in server.xml looks like this (lines truncated): > protocol="org.apache.coyote.http1$ > compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$ >maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >clientAuth="false" sslProtocol="TLSv1.2" /> The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 installation on our most security-conscious customer's AS/400; this Tomcat is 8.5. Am I specifying it wrong? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org