Hello Peter, > -----Ursprüngliche Nachricht----- > Von: logo <l...@kreuser.name> > Gesendet: Mittwoch, 10. August 2022 10:22 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have > sslProtocol="TLSv1.2" > > Thomas, > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > Hello, > > > >> -----Ursprüngliche Nachricht----- > >> Von: Peter Kreuser <l...@kreuser.name> > >> Gesendet: Mittwoch, 10. August 2022 08:44 > >> An: Tomcat Users List <users@tomcat.apache.org> > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > >> have sslProtocol="TLSv1.2" > >> > >> > >> > >> James, > >> > >> the most recent connector attribute is "protocols". The documentation > >> is a bit vague on this saying there is an overlap between the two, > >> yet I don't know if the overlap is there if protocols is unset and > >> defaults to "all".... > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > >> > >> Peter > >> > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > >> <jam...@touchtonecorp.com.invalid>: > >> > > >> > I think this may have come up before, but I don't recall how it was > resolved. > >> > > >> > On customer box #1, I have: > >> > <Connector port="443" > protocol="org.apache.coyote.http11.Http11Protocol" > >> address="<REDACTED>" > >> > maxThreads="400" SSLEnabled="true" scheme="https" > secure="true" > >> > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > >> keyAlias="<REDACTED>" > >> > > >> > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > >> > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > >> > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > >> > > >> > But on customer box #2, I have: > >> > > >> > <Connector port="443" > protocol="org.apache.coyote.http11.Http11Protocol" > >> > maxThreads="150" SSLEnabled="true" scheme="https" > secure="true" > >> > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > >> keyAlias="<REDACTED>" > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > >> > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > >> > > >> > What could be wrong here? I vaguely recall seeing something like this > before. > >> > > >> > -- > >> > JHHL > >> > > >> > ------------------------------------------------------------------- > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > > I have configured my connector as follows: > > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > ntation" > > maxThreads="150" minSpareThreads="25" > > URIEncoding="UTF-8" useBodyEncodingForURI="false" > > enableLookups="false" disableUploadTimeout="true" > > acceptCount="100" scheme="https" secure="true" > > SSLEnabled="true" > > compression="off" > > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> > > <SSLHostConfig > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > disableSessionTickets="true" > honorCipherOrder="false" > > protocols="+TLSv1.2,+TLSv1.3"> > > <Certificate certificateKeyFile="../xx.key" > > certificateFile="../xx.pem" type="RSA" /> > > </SSLHostConfig> > > </Connector> > > > > This gives a good grade when checking with ssllabs. > > Only TLS 1.2 and 1.3 are enabled. > > > > of course SSLHostConfig is the modern and preferred way. But unless you have > plenty of time, it's a hassle to migrate many boxes to the new way... > > Peter > > > Greetins, Thomas > >
The attributes are quite similar or the same, just located at other xml-elements, so you can still use the attributes like "protocols" or "ciphers". Just located at different tags. Sooner or later the old syntax will get deprecated. So it's usually a matter of time when you have the hassle ;) Greetings, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
