> -----Ursprüngliche Nachricht----- > Von: Shawn Heisey <apa...@elyograg.org> > Gesendet: Samstag, 30. April 2022 00:18 > An: users@tomcat.apache.org > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > On 4/29/22 12:14, Kaushal Shriyan wrote: > > Thanks Peter for the link and it worked like a charm. I am running the > > tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have > > enabled the TLSv1.3 protocol as per the below block but when I ran the > > scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> > > No* as per the below scan results. > > > > <Connector port="443" protocol="HTTP/1.1" > > connectionTimeout="20000" > > SSLEnabled="true" scheme="https" > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" > > clientAuth="false" disableSessionTickets="true" > > honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"* > > redirectPort="8443" /> > > I can think of two possible reasons for a problem like this. > > 1. Your cipher list isn't compatible with TLS 1.3. > 2. You're not running a new enough Java version. (8u261 b12 minimum) > > Based on what I have been able to figure out, I think it's probably your > cipher > list. If you are using the standard Java TLS and not the tomcat native > library > that uses openssl, then your cipher list is unlikely to work -- those look > like > openssl cipher names, and Java uses different names. > > I think this cipher list might get you TLS 1.2 and 1.3 support with Java: > > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_12 > 8_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECD > HE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA2 > 0_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ > AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TL > S_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > To get that list, I converted the cipher list I use in haproxy, which uses > openssl for tls, using the info found here: > > https://stackoverflow.com/a/32654075/2665648 > > Thanks, > Shawn > >
That's how I configured the connector and it is using TLS 1.3 <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" maxThreads="150" minSpareThreads="25" URIEncoding="UTF-8" useBodyEncodingForURI="false" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" compression="off" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" disableSessionTickets="true" honorCipherOrder="false" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyFile="<path>ssl.key" certificateFile="<path>ssl.pem" type="RSA" /> </SSLHostConfig> </Connector> A good source for a hardened configuration is also: https://success.qualys.com/discussions/s/question/0D52L00006230HeSAI/a-grade-for-tomcat10 Greetings, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org