Re: Secure Tomcat With SSL

Mon, 28 Oct 2013 15:18:36 -0700 

Chris,

On 28.10.2013 21:45, Chris Arnold wrote:

Let us first determine which connector do you have configured (BIO, NIO
or APR), because HTTPS configuration depends on connector type. Could
you send your server.xml with comments and sensitive information removed?


<?xml version='1.0' encoding='utf-8'?>
<!--


Please, remove comments next time, it will make it easier for us to read.



     <Connector port="xxxxxx" URIEncoding="UTF-8" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="xxxxx" maxHttpHeaderSize="32768" />

...

     <Connector port="xxxxx" URIEncoding="UTF-8" protocol="HTTP/1.1" 
SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="32768" 
/>

...

     <Connector port="xxxxx" URIEncoding="UTF-8" protocol="AJP/1.3" 
redirectPort="xxxxx" />

     <Connector port="xxxxx" URIEncoding="UTF-8" 
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
                maxThreads="150" scheme="https" 
keystoreFile="/opt/alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" 
keystoreType="JCEKS"
  secure="true" connectionTimeout="240000" 
truststoreFile="/opt/alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" 
truststoreType="JCEKS"
                clientAuth="want" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" 
maxHttpHeaderSize="32768" />



Ok, so you have four connectors configured. First two of them have 
attribute protocol="HTTP/1.1", which means that it will automatically 
select between APR and BIO connector. APR will be selected if apropriate 
libarary is found on the system. If not, BIO connector will be selected.



Note that you dislosed your keystore passwords on public mailing list, 
so you may consider to change them.




Here it is but you will see both being initialized:
Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]



Ok, so APR library is found, and APR HTTP connector is initialized on 
port 8080.



Second (HTTPS APR auto select) connector probably fails to initialize 
since you didn't provide necessary files containing key and certificates.




Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]



This is third connector in your configuration. It is used for 
communication between Apache httpd and Apache Tomcat. In case you don't 
use httpd, you may comment that one out.




Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]



This is fourth connector from your configuration, and it is BIO 
connector, since attribute protocol is set to 
"org.apache.coyote.http11.Http11Protocol". It seems to be working fine.




Now you have two HTTPS connectors configured, APR (2nd in your 
configuration) and BIO (fourth in your configuration). APR fails to 
start. It is not clear from the information you provided so far are you 
trying to configure APR connector, but I will assume you do, since BIO 
connector looks configured already.


You will have to make sure that ports for APR and BIO connector differs.


Now, for APR connector, you don't need keystore, but seperate files for 
server key, server certificates, and intermediate certificates. Then add 
those attributes to APR connector:


  SSLCertificateFile="/home/tomcat/server.cert"
  SSLCertificateKeyFile="/home/tomcat/server.key"
  SSLCertificateChainFile="/home/tomcat/intermediates.pem"


When you get APR HTTPS connector up and running, to remove weak ciphers 
from OpenSSL default configuration, I strongly suggest that you also 
restrict cipher in use, using these two attiributes to connector 
configuration (*):


    SSLHonorCipherOrder="true"

SSLCipherSuite="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

For more info on setting up APR HTTPS connector, please read:


https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native

-Ognjen


(*) As recommeded by Ivan Ristic:

https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy#/?page=2

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to