Chris,
On 28.10.2013 21:45, Chris Arnold wrote:
Let us first determine which connector do you have configured (BIO, NIO
or APR), because HTTPS configuration depends on connector type. Could
you send your server.xml with comments and sensitive information removed?
<?xml version='1.0' encoding='utf-8'?>
<!--
Please, remove comments next time, it will make it easier for us to read.
<Connector port="xxxxxx" URIEncoding="UTF-8" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="xxxxx" maxHttpHeaderSize="32768" />
...
<Connector port="xxxxx" URIEncoding="UTF-8" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="32768"
/>
...
<Connector port="xxxxx" URIEncoding="UTF-8" protocol="AJP/1.3"
redirectPort="xxxxx" />
<Connector port="xxxxx" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https"
keystoreFile="/opt/alfresco/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t"
keystoreType="JCEKS"
secure="true" connectionTimeout="240000"
truststoreFile="/opt/alfresco/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t"
truststoreType="JCEKS"
clientAuth="want" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true"
maxHttpHeaderSize="32768" />
Ok, so you have four connectors configured. First two of them have
attribute protocol="HTTP/1.1", which means that it will automatically
select between APR and BIO connector. APR will be selected if apropriate
libarary is found on the system. If not, BIO connector will be selected.
Note that you dislosed your keystore passwords on public mailing list,
so you may consider to change them.
Here it is but you will see both being initialized:
Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Ok, so APR library is found, and APR HTTP connector is initialized on
port 8080.
Second (HTTPS APR auto select) connector probably fails to initialize
since you didn't provide necessary files containing key and certificates.
Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
This is third connector in your configuration. It is used for
communication between Apache httpd and Apache Tomcat. In case you don't
use httpd, you may comment that one out.
Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
This is fourth connector from your configuration, and it is BIO
connector, since attribute protocol is set to
"org.apache.coyote.http11.Http11Protocol". It seems to be working fine.
Now you have two HTTPS connectors configured, APR (2nd in your
configuration) and BIO (fourth in your configuration). APR fails to
start. It is not clear from the information you provided so far are you
trying to configure APR connector, but I will assume you do, since BIO
connector looks configured already.
You will have to make sure that ports for APR and BIO connector differs.
Now, for APR connector, you don't need keystore, but seperate files for
server key, server certificates, and intermediate certificates. Then add
those attributes to APR connector:
SSLCertificateFile="/home/tomcat/server.cert"
SSLCertificateKeyFile="/home/tomcat/server.key"
SSLCertificateChainFile="/home/tomcat/intermediates.pem"
When you get APR HTTPS connector up and running, to remove weak ciphers
from OpenSSL default configuration, I strongly suggest that you also
restrict cipher in use, using these two attiributes to connector
configuration (*):
SSLHonorCipherOrder="true"
SSLCipherSuite="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
For more info on setting up APR HTTPS connector, please read:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
-Ognjen
(*) As recommeded by Ivan Ristic:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy#/?page=2
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org