Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
James,
On 8/10/22 11:57, James H. H. Lampert wrote:
Interesting. The new "protocols" parameter.
Does this work with the traditional syntax? Can "protocols" and
"sslProtocol" coexist in the same Connector?
It's pretty important here to specify your Tomcat version number(s). I
see you have them at the bottom of this message, but not the original.
All our customer installations use JSSE security with a Java Keystore;
I've never configured a successful IBM Midrange installation any other way.
Looking at the "Server Information" on the "Manager" webapp, I see:
The "problem" server ("#2" in the original post) is on 8.5.73, running
under IBM OS/400 Java 8.0.5.25.
The "working" server ("#1" in the original post) is on 8.5.79, running
under IBM OS/400 Java 8.0.6.35.
I'm mostly going to repeat things others have said elsewhere in this
thread, but (a) all together and (b) with maybe some historical perspective.
Tomcat connectors have always supported the "sslProtocol" attribute
(which is next to useless, other than that you have to put something in
there that Java recognizes).
The other attribute used to be sslEnabledProtocols, now called
protocols, which is the one that actually sets the list of specific
protocol versions. Your versions should be sufficiently recent that the
following excerpts from the user manual[1] are currently accurate:
"
sslProtocol
JSSE only.
The SSL protocol(s) to use (a single value may enable multiple protocols
- see the JVM documentation for details). If not specified, the default
is TLS. The permitted values may be obtained from the JVM documentation
for the allowed values for algorithm when creating an SSLContext
instance e.g. Oracle Java 7. Note: There is overlap between this
attribute and protocols.
"
"
protocols
The names of the protocols to support when communicating with clients.
This should be a list of any combination of the following:
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
all
Each token in the list can be prefixed with a plus sign ("+") or a minus
sign ("-"). A plus sign adds the protocol, a minus sign removes it form
the current list. The list is built starting from an empty list.
The token all is an alias for SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.
Note that TLSv1.3 is only supported for JSSE when using a JVM that
implements TLSv1.3.
Note that SSLv2Hello will be ignored for OpenSSL based secure
connectors. If more than one protocol is specified for an OpenSSL based
secure connector it will always support SSLv2Hello. If a single protocol
is specified it will not support SSLv2Hello.
Note that SSLv2 and SSLv3 are inherently unsafe.
If not specified, the default value of all will be used.
"
*These are not interchangeable*
Setting sslProtocols to a list of things may fail and certainly won't do
what you expect.
These days, you shouldn't even bother setting sslProtocol at all. Use
protocols and /only/ protocols and you'll get what you want.
I also highly recommend that you "upgrade" your configuration to use:
There are certain things you cannot do without and
honestly it makes it WAY more clear in your configuration what you are
trying to do.
So why does it have to be this confusing? Well, history...
Long ago, there was just "SSL". Java at some point gave programmers the
option to use "TLS" which was this crazy new thing. If you wanted it,
you need to say "TLS" when initializing the SSLEngine component of Java.
When it was introduced into Tomcat 3.1 or whatever, that option was
added because hey, maybe not everyone wanted to live on the edge with
this new-fangled TLS thing. These days, it almost doesn't matter what
string you give to Java when initializing the SSLEngine, you always get
one that can do pretty much everything.
Okay, so at some point, we all switched from SSL to TLS and all was
good. Except that we had to disable SSLv3 at some point, and then these
new crazy people said we needed to support TLSv1.2, etc. and again not
everybody wanted that "secure" stuff they were happy with their ROT13
encryption and so sslEnabledProtocols was introduced: you could specify
not only which SSL engine you wanted (SSL vs TLS) but also the
individual protocols you were willing to support.
Fast-forward a few years and we have the situation where sslProtocols is
all but useless and mostly everyone wants to use TLSv1.2 and TLSv1.3 and
nothing else. But, backward-compatibility rules and so "all" (alias for
"SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3") is the default. I've been
pushing for the default to be changed to support only the later
protocols and we are likely to do that in e.g. Tomcat 10.x but not other
versions because, again, history. Tomcat major versions have had a
lifetime of like 10 years and so we can't turn on a dime without
someone's whole cluster going down because we changed the defaults and
they didn't bother testing before
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
On 8/10/22 6:50 AM, Brian Wolfe wrote: You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1 I think that's exactly what I did on "Customer Box #1" (and forgot to document having done). Because I dug up the java.security file (I'm really glad there's a "find" command available from QShell and other *nix-style command lines in OS/400), and it has TLSv1 and TLSv1.1 added to it. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
On 8/10/22 8:52 AM, Jason Hall wrote: If you have another network device in front of your server - that could be what is trumping the app server's settings. I'd planned on investigating that as well. But it *looks* like the cert I'm seeing matches the cert in the keystore their Tomcat is using, and I *don't* think an intermediate device would also have that cert. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
Interesting. The new "protocols" parameter.
Does this work with the traditional syntax? Can "protocols" and
"sslProtocol" coexist in the same Connector?
All our customer installations use JSSE security with a Java Keystore;
I've never configured a successful IBM Midrange installation any other way.
Looking at the "Server Information" on the "Manager" webapp, I see:
The "problem" server ("#2" in the original post) is on 8.5.73, running
under IBM OS/400 Java 8.0.5.25.
The "working" server ("#1" in the original post) is on 8.5.79, running
under IBM OS/400 Java 8.0.6.35.
--
JHHL
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
If you have another network device in front of your server - that could be what is trumping the app server's settings. For example - We have an F5 device sitting in front of our app server - so SSLLabs will pick up those settings before it even hits my actual app server. thanks, Jason - Original Message - From: "Brian Wolfe" To: "Tomcat Users List" Sent: Wednesday, August 10, 2022 9:50:01 AM Subject: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2" You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1 On Wed, Aug 10, 2022 at 5:09 AM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello Peter, > > > -Ursprüngliche Nachricht- > > Von: logo > > Gesendet: Mittwoch, 10. August 2022 10:22 > > An: Tomcat Users List > > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > have > > sslProtocol="TLSv1.2" > > > > Thomas, > > > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > > Hello, > > > > > >> -Ursprüngliche Nachricht----- > > >> Von: Peter Kreuser > > >> Gesendet: Mittwoch, 10. August 2022 08:44 > > >> An: Tomcat Users List > > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > > >> have sslProtocol="TLSv1.2" > > >> > > >> > > >> > > >> James, > > >> > > >> the most recent connector attribute is "protocols". The documentation > > >> is a bit vague on this saying there is an overlap between the two, > > >> yet I don't know if the overlap is there if protocols is unset and > > >> defaults to "all" > > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > >> > > >> Peter > > >> > > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > > >> : > > >> > > > >> > I think this may have come up before, but I don't recall how it was > > resolved. > > >> > > > >> > On customer box #1, I have: > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> address="" > > >> > maxThreads="400" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > > > >> > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > > >> > > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > >> > > > >> > But on customer box #2, I have: > > >> > > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and > TLSv1.2. > > >> > > > >> > What could be wrong here? I vaguely recall seeing something like > this > > before. > > >> > > > >> > -- > > >> > JHHL > > >> > > > >> > --- > > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > > > > > > I have configured my connector as follows: > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > > ntation" > > >maxThreads="150" minSpareThreads="25" > > >URIEncoding="UTF-8" useBodyEncodingFor
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1 On Wed, Aug 10, 2022 at 5:09 AM Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello Peter, > > > -Ursprüngliche Nachricht- > > Von: logo > > Gesendet: Mittwoch, 10. August 2022 10:22 > > An: Tomcat Users List > > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > have > > sslProtocol="TLSv1.2" > > > > Thomas, > > > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > > Hello, > > > > > >> -Ursprüngliche Nachricht- > > >> Von: Peter Kreuser > > >> Gesendet: Mittwoch, 10. August 2022 08:44 > > >> An: Tomcat Users List > > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > > >> have sslProtocol="TLSv1.2" > > >> > > >> > > >> > > >> James, > > >> > > >> the most recent connector attribute is "protocols". The documentation > > >> is a bit vague on this saying there is an overlap between the two, > > >> yet I don't know if the overlap is there if protocols is unset and > > >> defaults to "all" > > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > >> > > >> Peter > > >> > > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > > >> : > > >> > > > >> > I think this may have come up before, but I don't recall how it was > > resolved. > > >> > > > >> > On customer box #1, I have: > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> address="" > > >> > maxThreads="400" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > > > >> > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > > >> > > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > >> > > > >> > But on customer box #2, I have: > > >> > > > >> > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="/tomcat/wttomcat.ks" > > >> keyAlias="" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and > TLSv1.2. > > >> > > > >> > What could be wrong here? I vaguely recall seeing something like > this > > before. > > >> > > > >> > -- > > >> > JHHL > > >> > > > >> > --- > > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > > > > > > I have configured my connector as follows: > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > > ntation" > > >maxThreads="150" minSpareThreads="25" > > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > > >enableLookups="false" disableUploadTimeout="true" > > >acceptCount="100" scheme="https" secure="true" > > >SSLEnabled="true" > > >compression="off" > > > > > /> > > > > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > > disableSessionTickets="true" > > honorCipherOrder="false" > > > protocols="+TLSv1.2,+TLSv1.3"> > > > > > certificateFile="../xx.pem" type="RSA" /> > > > > > > > > > > > > This gives a good grade when checking with ssllabs. > > > Only TLS 1.2 and 1.3 are enabled. > > > > > > > of course SSLHostConfig is the modern and preferred way. But unless you > have > > plenty of time, it's a hassle to migrate many boxes to the new way... > > > > Peter > > > > > Greetins, Thomas > > > > > The attributes are quite similar or the same, just located at other > xml-elements, so you can still use the attributes like "protocols" or > "ciphers". > Just located at different tags. > > Sooner or later the old syntax will get deprecated. So it's usually a > matter of time when you have the hassle ;) > > Greetings, Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
AW: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
Hello Peter, > -Ursprüngliche Nachricht- > Von: logo > Gesendet: Mittwoch, 10. August 2022 10:22 > An: Tomcat Users List > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have > sslProtocol="TLSv1.2" > > Thomas, > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > Hello, > > > >> -Ursprüngliche Nachricht- > >> Von: Peter Kreuser > >> Gesendet: Mittwoch, 10. August 2022 08:44 > >> An: Tomcat Users List > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > >> have sslProtocol="TLSv1.2" > >> > >> > >> > >> James, > >> > >> the most recent connector attribute is "protocols". The documentation > >> is a bit vague on this saying there is an overlap between the two, > >> yet I don't know if the overlap is there if protocols is unset and > >> defaults to "all" > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > >> > >> Peter > >> > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > >> : > >> > > >> > I think this may have come up before, but I don't recall how it was > resolved. > >> > > >> > On customer box #1, I have: > >> > protocol="org.apache.coyote.http11.Http11Protocol" > >> address="" > >> > maxThreads="400" SSLEnabled="true" scheme="https" > secure="true" > >> > keystoreFile="/tomcat/wttomcat.ks" > >> keyAlias="" > >> > > >> > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > >> > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > >> > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > >> > > >> > But on customer box #2, I have: > >> > > >> > protocol="org.apache.coyote.http11.Http11Protocol" > >> > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" > >> > keystoreFile="/tomcat/wttomcat.ks" > >> keyAlias="" > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > >> > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > >> > > >> > What could be wrong here? I vaguely recall seeing something like this > before. > >> > > >> > -- > >> > JHHL > >> > > >> > --- > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > > I have configured my connector as follows: > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > ntation" > >maxThreads="150" minSpareThreads="25" > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > >enableLookups="false" disableUploadTimeout="true" > >acceptCount="100" scheme="https" secure="true" > >SSLEnabled="true" > >compression="off" > > > /> > > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > disableSessionTickets="true" > honorCipherOrder="false" > > protocols="+TLSv1.2,+TLSv1.3"> > > > certificateFile="../xx.pem" type="RSA" /> > > > > > > > > This gives a good grade when checking with ssllabs. > > Only TLS 1.2 and 1.3 are enabled. > > > > of course SSLHostConfig is the modern and preferred way. But unless you have > plenty of time, it's a hassle to migrate many boxes to the new way... > > Peter > > > Greetins, Thomas > > The attributes are quite similar or the same, just located at other xml-elements, so you can still use the attributes like "protocols" or "ciphers". Just located at different tags. Sooner or later the old syntax will get deprecated. So it's usually a matter of time when you have the hassle ;) Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
Thomas, Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): Hello, -Ursprüngliche Nachricht- Von: Peter Kreuser Gesendet: Mittwoch, 10. August 2022 08:44 An: Tomcat Users List Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2" James, the most recent connector attribute is "protocols". The documentation is a bit vague on this saying there is an overlap between the two, yet I don't know if the overlap is there if protocols is unset and defaults to "all" https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support Peter > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert : > > I think this may have come up before, but I don't recall how it was resolved. > > On customer box #1, I have: >maxThreads="400" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="/tomcat/wttomcat.ks" keyAlias="" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > But on customer box #2, I have: > >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="/tomcat/wttomcat.ks" keyAlias="" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > > What could be wrong here? I vaguely recall seeing something like this before. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > I have configured my connector as follows: protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" maxThreads="150" minSpareThreads="25" URIEncoding="UTF-8" useBodyEncodingForURI="false" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" compression="off" > This gives a good grade when checking with ssllabs. Only TLS 1.2 and 1.3 are enabled. of course SSLHostConfig is the modern and preferred way. But unless you have plenty of time, it's a hassle to migrate many boxes to the new way... Peter Greetins, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
Hello, > -Ursprüngliche Nachricht- > Von: Peter Kreuser > Gesendet: Mittwoch, 10. August 2022 08:44 > An: Tomcat Users List > Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have > sslProtocol="TLSv1.2" > > > > James, > > the most recent connector attribute is "protocols". The documentation is a bit > vague on this saying there is an overlap between the two, yet I don't know if > the > overlap is there if protocols is unset and defaults to "all" > https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > Peter > > > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > : > > > > I think this may have come up before, but I don't recall how it was > > resolved. > > > > On customer box #1, I have: > > address="" > > maxThreads="400" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="/tomcat/wttomcat.ks" > keyAlias="" > > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > clientAuth="false" sslProtocol="TLSv1.2" /> > > > > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > > > But on customer box #2, I have: > > > > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="/tomcat/wttomcat.ks" > keyAlias="" > > clientAuth="false" sslProtocol="TLSv1.2" /> > > > > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > > > > What could be wrong here? I vaguely recall seeing something like this > > before. > > > > -- > > JHHL > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > I have configured my connector as follows: This gives a good grade when checking with ssllabs. Only TLS 1.2 and 1.3 are enabled. Greetins, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
James, the most recent connector attribute is "protocols". The documentation is a bit vague on this saying there is an overlap between the two, yet I don't know if the overlap is there if protocols is unset and defaults to "all" https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support Peter > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > : > > I think this may have come up before, but I don't recall how it was resolved. > > On customer box #1, I have: > address="" > maxThreads="400" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="/tomcat/wttomcat.ks" keyAlias="" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > But on customer box #2, I have: > >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="/tomcat/wttomcat.ks" keyAlias="" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > > What could be wrong here? I vaguely recall seeing something like this before. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
On 8/9/22 16:13, James H. H. Lampert wrote: On customer box #1, I have: protocol="org.apache.coyote.http11.Http11Protocol" address="" maxThreads="400" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/tomcat/wttomcat.ks" keyAlias="" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" clientAuth="false" sslProtocol="TLSv1.2" /> and an SSLLabs scan shows it accepting only TLSv1.2, as it should. But on customer box #2, I have: maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/tomcat/wttomcat.ks" keyAlias="" clientAuth="false" sslProtocol="TLSv1.2" /> and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. What could be wrong here? I vaguely recall seeing something like this before. I am actually quite clueless about how to configure TLS in Tomcat ... but I can see that you clearly have a difference between the two configs. The first one has a ciphers="stuff" section and the second one doesn't. If I had to guess, and I confess I do not know TLS well enough to say anything definitively, I believe the ciphers you have listed in that config will not work with older TLS versions. An SSL Labs report for my website (which is using haproxy for TLS, none of the backends are Tomcat) shows that it allows three ciphers for TLS 1.3 and three ciphers for TLS 1.2. 1.3: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256 1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 I have more ciphers configured than this, but I am pretty sure that these are the only ones in my configured list that work with the newer TLS versions. Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"
I think this may have come up before, but I don't recall how it was resolved. On customer box #1, I have: address="" maxThreads="400" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/tomcat/wttomcat.ks" keyAlias="" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" clientAuth="false" sslProtocol="TLSv1.2" /> and an SSLLabs scan shows it accepting only TLSv1.2, as it should. But on customer box #2, I have: keystoreFile="/tomcat/wttomcat.ks" keyAlias="" clientAuth="false" sslProtocol="TLSv1.2" /> and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. What could be wrong here? I vaguely recall seeing something like this before. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
