Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Mark, On 10/19/21 04:17, Mark Thomas wrote: On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. +1 I was suggesting a related beehavior in Tomcat that would not affect the behavior OP is reporting, here. All the evidence so far points to user error. +1 -chris -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
@ Thomas Hoffmann, Mark and Chris,
Thanks for your suggestion.
We have done changes as per the xml configuration provided by Thomas Hoffmann
and then verified the scenario. Now, client connection with TLS1.1 and TLS1.0
are restricted as expected.
SSLHostConfig sslHostConfig = new
SSLHostConfig();
sslHostConfig.setInsecureRenegotiation(
false );
sslHostConfig.setCertificateFile(
certLocation );
sslHostConfig.setCertificateKeyFile(
certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq &&
caCertificatePath != null && !caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setProtocols(
"+TLSv1.2,+TLSv1.3" );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this,
"SSLEnabled", "true" );
IntrospectionUtils.setProperty( this,
"sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
-Original Message-
From: Thomas Hoffmann (Speed4Trade GmbH)
Sent: Tuesday, October 19, 2021 2:11 PM
To: Tomcat Users List
Subject: AW: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hello,
I can recommend SSLScan for verifying your configuration:
https://protect2.fireeye.com/v1/url?k=b3c1d19c-ec5aebd9-b3c19107-867b36d1634c-7180cbae66c5853c=1=3a5cfd26-c400-4730-b545-682123db5c0f=https%3A%2F%2Fgithub.com%2Frbsec%2Fsslscan%2Freleases%2Ftag%2F2.0.10
Example configuration which I use:
SSLScan reports this result:
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
Greetings,
Thomas
-Ursprüngliche Nachricht-
Von: Mark Thomas
Gesendet: Dienstag, 19. Oktober 2021 10:18
An: users@tomcat.apache.org
Betreff: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 19/10/2021 06:20, Natraj Thekkan wrote:
> Hi Mark or Chris,
>
> Based on Chris statement, it has to be addressed in tomcat.
No, you has misunderstood Chris's statement. All the evidence so far points to
user error.
Again, you need to provide the simplest, *complete* test case (i.e. the source
code for an executable Java class that starts a Tomcat instance that listens
for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when
configured not to.
> Can I raise a Bug in Bugzilla for this observation?.
No.
Mark
>
> Regards,
> Natraj
> -Original Message-
> From: Christopher Schultz
> Sent: Monday, October 18, 2021 10:14 PM
> To: users@tomcat.apache.org
> Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with
> OpenSSL
>
> Natraj,
>
> On 10/18/21 01:19, Natraj Thekkan wrote:
>> @Mark
>> Thanks for your response.
>>
>> We have tested by removing that line of code, still client able to establish
>> the connection with server using TLSv1 and TLSv1.1. Below one is configured
>> in java.security file.
>>
>> jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE,
>> DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
>> include jdk.disabled.namedCurves
>
> Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting.
>
> Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into
> account when configuring OpenSSL through JSSE, since a user might expect that
> all JSSE providers will respect that setting.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the source code for an executable Java class that starts a Tomcat instance that listens for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when configured not to. Can I raise a Bug in Bugzilla for this observation?. No. Mark Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. Can I raise a Bug in Bugzilla for this observation?. Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: > @Mark > Thanks for your response. > > We have tested by removing that line of code, still client able to establish > the connection with server using TLSv1 and TLSv1.1. Below one is configured > in java.security file. > > jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, > DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ > include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 18/10/2021 06:19, Natraj Thekkan wrote:
Hi,
@Mark
Thanks for your response.
We have tested by removing that line of code, still client able to establish
the connection with server using TLSv1 and TLSv1.1. Below one is configured in
java.security file.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Please suggest the way to restrict the TLSv1,TLSv1.1 version when
OpenSSLImplementation is used.
The code you are using should be sufficient.
Please provide the simplest, *complete* test case (i.e. the source code
for an executable Java class that starts a Tomcat instance that listens
for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections
when configured not to.
(We can provide our our test certificate.)
Mark
Regards,
Natraj
-Original Message-
From: Mark Thomas
Sent: Thursday, October 14, 2021 4:11 PM
To: users@tomcat.apache.org
Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote:
Hi,
We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over
HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that is being
used by the clients.
You should be able to remove to remove the
sslHostConfig.setSslProtocol("TLS");
line. It is only used with JSSE.
Mark
Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org'
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We have tried to restrict the TLS version in https connection establishment in
embedded tomcat for OpenSSL based implementation. With this part of the code,
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL
implementation.
Below code is used while creating connector.
private final String[] enabledProtocol = new String[] { "TLSv1.2" };
SSLHostConfig sslHostConfig = new SSLHostConfig();
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfig.setCertificateFile( certLocation );
sslHostConfig.setCertificateKeyFile( certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq && caCertificatePath != null &&
!caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setSslProtocol("TLS");
sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
@Mark
Thanks for your response.
We have tested by removing that line of code, still client able to establish
the connection with server using TLSv1 and TLSv1.1. Below one is configured in
java.security file.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Please suggest the way to restrict the TLSv1,TLSv1.1 version when
OpenSSLImplementation is used.
Regards,
Natraj
-Original Message-
From: Mark Thomas
Sent: Thursday, October 14, 2021 4:11 PM
To: users@tomcat.apache.org
Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote:
> Hi,
>
> We are using tomcat version 9.0.46.
> Could you please provide suggestion to restrict the TLS version in HTTP2 over
> HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that is being
used by the clients.
You should be able to remove to remove the
sslHostConfig.setSslProtocol("TLS");
line. It is only used with JSSE.
Mark
>
> Regards,
> Natraj
> From: Natraj Thekkan
> Sent: Wednesday, October 13, 2021 10:15 AM
> To: 'users@tomcat.apache.org'
> Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
>
> Hi,
>
> We have tried to restrict the TLS version in https connection establishment
> in embedded tomcat for OpenSSL based implementation. With this part of the
> code, TLSv1.0/TLSv1.1 client also able to connect with our https server.
> Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in
> OpenSSL implementation.
>
> Below code is used while creating connector.
>
> private final String[] enabledProtocol = new String[] { "TLSv1.2" };
>
>
> SSLHostConfig sslHostConfig = new SSLHostConfig();
>
> sslHostConfig.setInsecureRenegotiation( false );
>
> sslHostConfig.setCertificateFile( certLocation );
>
> sslHostConfig.setCertificateKeyFile( certKeyLocation );
>
> sslHostConfig.setCertificateKeyPassword( certKeyPassword );
>
> if( isClientAuthreq && caCertificatePath != null &&
> !caCertificatePath.isEmpty() )
>
> {
>
> sslHostConfig.setCertificateVerification(
> CertificateVerification.REQUIRED.toString() );
>
> sslHostConfig.setCaCertificateFile( caCertificatePath );
>
> }
>
> sslHostConfig.setSslProtocol("TLS");
>
> sslHostConfig.setEnabledProtocols( enabledProtocol );
> this.addSslHostConfig( sslHostConfig );
> IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
> IntrospectionUtils.setProperty( this, "sslImplementationName",
> "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
>
>
> Regards,
> Natraj
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote:
Hi,
We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over
HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that
is being used by the clients.
You should be able to remove to remove the
sslHostConfig.setSslProtocol("TLS");
line. It is only used with JSSE.
Mark
Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org'
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We have tried to restrict the TLS version in https connection establishment in
embedded tomcat for OpenSSL based implementation. With this part of the code,
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL
implementation.
Below code is used while creating connector.
private final String[] enabledProtocol = new String[] { "TLSv1.2" };
SSLHostConfig sslHostConfig = new SSLHostConfig();
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfig.setCertificateFile( certLocation );
sslHostConfig.setCertificateKeyFile( certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq && caCertificatePath != null &&
!caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setSslProtocol("TLS");
sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over
HTTPS with OpenSSL implementation?.
Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org'
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We have tried to restrict the TLS version in https connection establishment in
embedded tomcat for OpenSSL based implementation. With this part of the code,
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL
implementation.
Below code is used while creating connector.
private final String[] enabledProtocol = new String[] { "TLSv1.2" };
SSLHostConfig sslHostConfig = new SSLHostConfig();
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfig.setCertificateFile( certLocation );
sslHostConfig.setCertificateKeyFile( certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq && caCertificatePath != null &&
!caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setSslProtocol("TLS");
sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
