Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

Fri, 29 Apr 2022 15:18:29 -0700 

On 4/29/22 12:14, Kaushal Shriyan wrote:
Thanks Peter for the link and it worked like a charm. I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have enabled the TLSv1.3 protocol as per the below block but when I ran the scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> No* as per the below scan results. 

<Connector port="443" protocol="HTTP/1.1"
               connectionTimeout="20000"

               SSLEnabled="true"  scheme="https" 
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 
keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" 
clientAuth="false" disableSessionTickets="true" 
honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"*

               redirectPort="8443" />


I can think of two possible reasons for a problem like this.

1. Your cipher list isn't compatible with TLS 1.3.
2. You're not running a new enough Java version. (8u261 b12 minimum)


Based on what I have been able to figure out, I think it's probably your 
cipher list.  If you are using the standard Java TLS and not the tomcat 
native library that uses openssl, then your cipher list is unlikely to 
work -- those look like openssl cipher names, and Java uses different names.


I think this cipher list might get you TLS 1.2 and 1.3 support with Java:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256


To get that list, I converted the cipher list I use in haproxy, which 
uses openssl for tls, using the info found here:


https://stackoverflow.com/a/32654075/2665648

Thanks,
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to