AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

Tue, 09 Aug 2022 23:59:52 -0700 

Hello,

> -----Ursprüngliche Nachricht-----
> Von: Peter Kreuser <l...@kreuser.name>
> Gesendet: Mittwoch, 10. August 2022 08:44
> An: Tomcat Users List <users@tomcat.apache.org>
> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have
> sslProtocol="TLSv1.2"
> 
> 
> 
> James,
> 
> the most recent connector attribute is "protocols". The documentation is a bit
> vague on this saying there is an overlap between the two, yet I don't know if 
> the
> overlap is there if protocols is unset and defaults to "all"....
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
> 
> Peter
> 
> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert
> <jam...@touchtonecorp.com.invalid>:
> >
> > I think this may have come up before, but I don't recall how it was 
> > resolved.
> >
> > On customer box #1, I have:
> > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> address="<REDACTED>"
> >           maxThreads="400" SSLEnabled="true" scheme="https" secure="true"
> >           keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
> keyAlias="<REDACTED>"
> >
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
> TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
> >           clientAuth="false" sslProtocol="TLSv1.2" />
> >
> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should.
> >
> > But on customer box #2, I have:
> >
> > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> >           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> >           keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
> keyAlias="<REDACTED>"
> >           clientAuth="false" sslProtocol="TLSv1.2" />
> >
> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2.
> >
> > What could be wrong here? I vaguely recall seeing something like this 
> > before.
> >
> > --
> > JHHL
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >

I have configured my connector as follows:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
         
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               maxThreads="150" minSpareThreads="25"
               URIEncoding="UTF-8" useBodyEncodingForURI="false"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true"
               compression="off" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            <SSLHostConfig 
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
                        disableSessionTickets="true"  honorCipherOrder="false"  
 protocols="+TLSv1.2,+TLSv1.3">
                <Certificate certificateKeyFile="../xx.key" 
certificateFile="../xx.pem" type="RSA"      />
        </SSLHostConfig>
        </Connector>

This gives a good grade when checking with ssllabs.
Only TLS 1.2 and 1.3 are enabled.

Greetins, Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to