Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Mark, On 10/19/21 04:17, Mark Thomas wrote: On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. +1 I was suggesting a related beehavior in Tomcat that would not affect the behavior OP is reporting, here. All the evidence so far points to user error. +1 -chris -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi, @ Thomas Hoffmann, Mark and Chris, Thanks for your suggestion. We have done changes as per the xml configuration provided by Thomas Hoffmann and then verified the scenario. Now, client connection with TLS1.1 and TLS1.0 are restricted as expected. SSLHostConfig sslHostConfig = new SSLHostConfig(); sslHostConfig.setInsecureRenegotiation( false ); sslHostConfig.setCertificateFile( certLocation ); sslHostConfig.setCertificateKeyFile( certKeyLocation ); sslHostConfig.setCertificateKeyPassword( certKeyPassword ); if( isClientAuthreq && caCertificatePath != null && !caCertificatePath.isEmpty() ) { sslHostConfig.setCertificateVerification( CertificateVerification.REQUIRED.toString() ); sslHostConfig.setCaCertificateFile( caCertificatePath ); } sslHostConfig.setProtocols( "+TLSv1.2,+TLSv1.3" ); this.addSslHostConfig( sslHostConfig ); IntrospectionUtils.setProperty( this, "SSLEnabled", "true" ); IntrospectionUtils.setProperty( this, "sslImplementationName", "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" ); Regards, Natraj -Original Message- From: Thomas Hoffmann (Speed4Trade GmbH) Sent: Tuesday, October 19, 2021 2:11 PM To: Tomcat Users List Subject: AW: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Hello, I can recommend SSLScan for verifying your configuration: https://protect2.fireeye.com/v1/url?k=b3c1d19c-ec5aebd9-b3c19107-867b36d1634c-7180cbae66c5853c=1=3a5cfd26-c400-4730-b545-682123db5c0f=https%3A%2F%2Fgithub.com%2Frbsec%2Fsslscan%2Freleases%2Ftag%2F2.0.10 Example configuration which I use: SSLScan reports this result: SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled Greetings, Thomas -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Dienstag, 19. Oktober 2021 10:18 An: users@tomcat.apache.org Betreff: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL On 19/10/2021 06:20, Natraj Thekkan wrote: > Hi Mark or Chris, > > Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the source code for an executable Java class that starts a Tomcat instance that listens for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when configured not to. > Can I raise a Bug in Bugzilla for this observation?. No. Mark > > Regards, > Natraj > -Original Message- > From: Christopher Schultz > Sent: Monday, October 18, 2021 10:14 PM > To: users@tomcat.apache.org > Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with > OpenSSL > > Natraj, > > On 10/18/21 01:19, Natraj Thekkan wrote: >> @Mark >> Thanks for your response. >> >> We have tested by removing that line of code, still client able to establish >> the connection with server using TLSv1 and TLSv1.1. Below one is configured >> in java.security file. >> >> jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, >> DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ >> include jdk.disabled.namedCurves > > Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. > > Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into > account when configuring OpenSSL through JSSE, since a user might expect that > all JSSE providers will respect that setting. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the source code for an executable Java class that starts a Tomcat instance that listens for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when configured not to. Can I raise a Bug in Bugzilla for this observation?. No. Mark Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. Can I raise a Bug in Bugzilla for this observation?. Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: > @Mark > Thanks for your response. > > We have tested by removing that line of code, still client able to establish > the connection with server using TLSv1 and TLSv1.1. Below one is configured > in java.security file. > > jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, > DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ > include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 18/10/2021 06:19, Natraj Thekkan wrote: Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Please suggest the way to restrict the TLSv1,TLSv1.1 version when OpenSSLImplementation is used. The code you are using should be sufficient. Please provide the simplest, *complete* test case (i.e. the source code for an executable Java class that starts a Tomcat instance that listens for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when configured not to. (We can provide our our test certificate.) Mark Regards, Natraj -Original Message- From: Mark Thomas Sent: Thursday, October 14, 2021 4:11 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the clients. You should be able to remove to remove the sslHostConfig.setSslProtocol("TLS"); line. It is only used with JSSE. Mark Regards, Natraj From: Natraj Thekkan Sent: Wednesday, October 13, 2021 10:15 AM To: 'users@tomcat.apache.org' Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Hi, We have tried to restrict the TLS version in https connection establishment in embedded tomcat for OpenSSL based implementation. With this part of the code, TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL implementation. Below code is used while creating connector. private final String[] enabledProtocol = new String[] { "TLSv1.2" }; SSLHostConfig sslHostConfig = new SSLHostConfig(); sslHostConfig.setInsecureRenegotiation( false ); sslHostConfig.setCertificateFile( certLocation ); sslHostConfig.setCertificateKeyFile( certKeyLocation ); sslHostConfig.setCertificateKeyPassword( certKeyPassword ); if( isClientAuthreq && caCertificatePath != null && !caCertificatePath.isEmpty() ) { sslHostConfig.setCertificateVerification( CertificateVerification.REQUIRED.toString() ); sslHostConfig.setCaCertificateFile( caCertificatePath ); } sslHostConfig.setSslProtocol("TLS"); sslHostConfig.setEnabledProtocols( enabledProtocol ); this.addSslHostConfig( sslHostConfig ); IntrospectionUtils.setProperty( this, "SSLEnabled", "true" ); IntrospectionUtils.setProperty( this, "sslImplementationName", "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" ); Regards, Natraj - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file. jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Please suggest the way to restrict the TLSv1,TLSv1.1 version when OpenSSLImplementation is used. Regards, Natraj -Original Message- From: Mark Thomas Sent: Thursday, October 14, 2021 4:11 PM To: users@tomcat.apache.org Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL On 14/10/2021 10:28, Natraj Thekkan wrote: > Hi, > > We are using tomcat version 9.0.46. > Could you please provide suggestion to restrict the TLS version in HTTP2 over > HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the clients. You should be able to remove to remove the sslHostConfig.setSslProtocol("TLS"); line. It is only used with JSSE. Mark > > Regards, > Natraj > From: Natraj Thekkan > Sent: Wednesday, October 13, 2021 10:15 AM > To: 'users@tomcat.apache.org' > Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL > > Hi, > > We have tried to restrict the TLS version in https connection establishment > in embedded tomcat for OpenSSL based implementation. With this part of the > code, TLSv1.0/TLSv1.1 client also able to connect with our https server. > Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in > OpenSSL implementation. > > Below code is used while creating connector. > > private final String[] enabledProtocol = new String[] { "TLSv1.2" }; > > > SSLHostConfig sslHostConfig = new SSLHostConfig(); > > sslHostConfig.setInsecureRenegotiation( false ); > > sslHostConfig.setCertificateFile( certLocation ); > > sslHostConfig.setCertificateKeyFile( certKeyLocation ); > > sslHostConfig.setCertificateKeyPassword( certKeyPassword ); > > if( isClientAuthreq && caCertificatePath != null && > !caCertificatePath.isEmpty() ) > > { > > sslHostConfig.setCertificateVerification( > CertificateVerification.REQUIRED.toString() ); > > sslHostConfig.setCaCertificateFile( caCertificatePath ); > > } > > sslHostConfig.setSslProtocol("TLS"); > > sslHostConfig.setEnabledProtocols( enabledProtocol ); > this.addSslHostConfig( sslHostConfig ); > IntrospectionUtils.setProperty( this, "SSLEnabled", "true" ); > IntrospectionUtils.setProperty( this, "sslImplementationName", > "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" ); > > > Regards, > Natraj > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the clients. You should be able to remove to remove the sslHostConfig.setSslProtocol("TLS"); line. It is only used with JSSE. Mark Regards, Natraj From: Natraj Thekkan Sent: Wednesday, October 13, 2021 10:15 AM To: 'users@tomcat.apache.org' Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Hi, We have tried to restrict the TLS version in https connection establishment in embedded tomcat for OpenSSL based implementation. With this part of the code, TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL implementation. Below code is used while creating connector. private final String[] enabledProtocol = new String[] { "TLSv1.2" }; SSLHostConfig sslHostConfig = new SSLHostConfig(); sslHostConfig.setInsecureRenegotiation( false ); sslHostConfig.setCertificateFile( certLocation ); sslHostConfig.setCertificateKeyFile( certKeyLocation ); sslHostConfig.setCertificateKeyPassword( certKeyPassword ); if( isClientAuthreq && caCertificatePath != null && !caCertificatePath.isEmpty() ) { sslHostConfig.setCertificateVerification( CertificateVerification.REQUIRED.toString() ); sslHostConfig.setCaCertificateFile( caCertificatePath ); } sslHostConfig.setSslProtocol("TLS"); sslHostConfig.setEnabledProtocols( enabledProtocol ); this.addSslHostConfig( sslHostConfig ); IntrospectionUtils.setProperty( this, "SSLEnabled", "true" ); IntrospectionUtils.setProperty( this, "sslImplementationName", "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" ); Regards, Natraj - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. Regards, Natraj From: Natraj Thekkan Sent: Wednesday, October 13, 2021 10:15 AM To: 'users@tomcat.apache.org' Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL Hi, We have tried to restrict the TLS version in https connection establishment in embedded tomcat for OpenSSL based implementation. With this part of the code, TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL implementation. Below code is used while creating connector. private final String[] enabledProtocol = new String[] { "TLSv1.2" }; SSLHostConfig sslHostConfig = new SSLHostConfig(); sslHostConfig.setInsecureRenegotiation( false ); sslHostConfig.setCertificateFile( certLocation ); sslHostConfig.setCertificateKeyFile( certKeyLocation ); sslHostConfig.setCertificateKeyPassword( certKeyPassword ); if( isClientAuthreq && caCertificatePath != null && !caCertificatePath.isEmpty() ) { sslHostConfig.setCertificateVerification( CertificateVerification.REQUIRED.toString() ); sslHostConfig.setCaCertificateFile( caCertificatePath ); } sslHostConfig.setSslProtocol("TLS"); sslHostConfig.setEnabledProtocols( enabledProtocol ); this.addSslHostConfig( sslHostConfig ); IntrospectionUtils.setProperty( this, "SSLEnabled", "true" ); IntrospectionUtils.setProperty( this, "sslImplementationName", "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" ); Regards, Natraj