> -----Ursprüngliche Nachricht-----
> Von: Shawn Heisey <apa...@elyograg.org>
> Gesendet: Samstag, 30. April 2022 00:18
> An: users@tomcat.apache.org
> Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
>
> On 4/29/22 12:14, Kaushal Shriyan wrote:
> > Thanks Peter for the link and it worked like a charm. I am running the
> > tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have
> > enabled the TLSv1.3 protocol as per the below block but when I ran the
> > scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 ->
> > No* as per the below scan results.
> >
> > <Connector port="443" protocol="HTTP/1.1"
> > connectionTimeout="20000"
> > SSLEnabled="true" scheme="https"
> > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
> SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
> POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
> > keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat"
> > clientAuth="false" disableSessionTickets="true"
> > honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"*
> > redirectPort="8443" />
>
> I can think of two possible reasons for a problem like this.
>
> 1. Your cipher list isn't compatible with TLS 1.3.
> 2. You're not running a new enough Java version. (8u261 b12 minimum)
>
> Based on what I have been able to figure out, I think it's probably your
> cipher
> list. If you are using the standard Java TLS and not the tomcat native
> library
> that uses openssl, then your cipher list is unlikely to work -- those look
> like
> openssl cipher names, and Java uses different names.
>
> I think this cipher list might get you TLS 1.2 and 1.3 support with Java:
>
> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_12
> 8_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECD
> HE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA2
> 0_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_
> AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TL
> S_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
>
> To get that list, I converted the cipher list I use in haproxy, which uses
> openssl for tls, using the info found here:
>
> https://stackoverflow.com/a/32654075/2665648
>
> Thanks,
> Shawn
>
>
That's how I configured the connector and it is using TLS 1.3
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxThreads="150" minSpareThreads="25"
URIEncoding="UTF-8" useBodyEncodingForURI="false"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
compression="off" >
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
disableSessionTickets="true"
honorCipherOrder="false"
protocols="+TLSv1.2,+TLSv1.3">
<Certificate
certificateKeyFile="<path>ssl.key"
certificateFile="<path>ssl.pem"
type="RSA"
/>
</SSLHostConfig>
</Connector>
A good source for a hardened configuration is also:
https://success.qualys.com/discussions/s/question/0D52L00006230HeSAI/a-grade-for-tomcat10
Greetings, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
