Re: Requiring TLS with Tomcat 5.5.12
"Jeff Krug" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed: >> "Jeff Krug" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> > Is there a way to disallow the SSL 3.0 protocol? >> > >> >> protocols="TLS" on the tag. > > I added this, but it did not seem to alter the behavior. Here is my > connector tag: > >maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" protocols="TLS" > keystoreType="PKCS12" > keystoreFile="Path:\MyKeyStore.p12" > keystorePass="##" > /> > > I can still connect using the SSL 3.0 protocol. I don't see a protocols > option listed anywhere in the Tomcat docs on Apache.org either. Should > this work? > My bad :(. It should be protocols="TLSv1". And, yes, it's an undocumented option. > I am testing this with openssl on a Linux machine with this command: > > $openssl s_client -ssl3 -connect My_Tomcat_Hostname:443 > > > > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > Server public key is 512 bit > Compression: NONE > Expansion: NONE > SSL-Session: >Protocol : SSLv3 >Cipher: EDH-RSA-DES-CBC3-SHA >Session-ID: >Session-ID-ctx: >Master-Key: >Key-Arg : None >Start Time: 1142004945 >Timeout : 7200 (sec) >Verify return code: 19 (self signed certificate in certificate chain) > --- > > When I don't force the client on the Linux side to request ssl3, the > protocol specified above is TLSv1 as I want. > > It seems like most products kind of blur the boundaries between TLS and > SSL3 (for example that first line above says TLSv1/SSLv3 as if they are > the same thing). I guess they are nearly identical, but unfortunately > I still need to figure this out. > > Any further ideas for what I can try? > > Thanks, > Jeff Krug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Requiring TLS with Tomcat 5.5.12
When starting a new thread (ie sending a message to the list about a new topic) please do not reply to an existing message and change the subject line. To many of the list archiving services and mail clients used by list subscribers this makes your new message appear as part of the old thread. This makes it harder for other users to find relevant information when searching the lists. This is known as thread hijacking and is behaviour that is frowned upon on this list. Frequent offenders will be removed from the list. It should also be noted that many list subscribers automatically ignore any messages that hijack another thread. The correct procedure is to create a new message with a new subject. This will start a new thread. Mark tomcat-user-owner - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Requiring TLS with Tomcat 5.5.12
Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed: > "Jeff Krug" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Is there a way to disallow the SSL 3.0 protocol? > > > > protocols="TLS" on the tag. I added this, but it did not seem to alter the behavior. Here is my connector tag: I can still connect using the SSL 3.0 protocol. I don't see a protocols option listed anywhere in the Tomcat docs on Apache.org either. Should this work? I am testing this with openssl on a Linux machine with this command: $openssl s_client -ssl3 -connect My_Tomcat_Hostname:443 --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 512 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Start Time: 1142004945 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- When I don't force the client on the Linux side to request ssl3, the protocol specified above is TLSv1 as I want. It seems like most products kind of blur the boundaries between TLS and SSL3 (for example that first line above says TLSv1/SSLv3 as if they are the same thing). I guess they are nearly identical, but unfortunately I still need to figure this out. Any further ideas for what I can try? Thanks, Jeff Krug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Requiring TLS with Tomcat 5.5.12
"Jeff Krug" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > I have a Tomcat 5.5.12 install that is working well (it is a stand-alone > install under Windows 2003 server). I was given a request to make this > install fully FIPS 140-2 compliant, specifically requiring that Tomcat > not allow SSL 3.0 protocol connections (TLS only). My config specifies > sslProtocol="TLS" and everything works fine in terms of defaulting to > TLS, but the default behavior here is to allow SSL 3.0 as well (that is > part of the connection negotiation process, I suppose). > > Is there a way to disallow the SSL 3.0 protocol? > protocols="TLS" on the tag. > Thanks, > Jeff Krug - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]