You can disable the protocols at the java level in the java.security file jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1
On Wed, Aug 10, 2022 at 5:09 AM Thomas Hoffmann (Speed4Trade GmbH) <thomas.hoffm...@speed4trade.com.invalid> wrote: > Hello Peter, > > > -----Ursprüngliche Nachricht----- > > Von: logo <l...@kreuser.name> > > Gesendet: Mittwoch, 10. August 2022 10:22 > > An: Tomcat Users List <users@tomcat.apache.org> > > Betreff: Re: AW: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > have > > sslProtocol="TLSv1.2" > > > > Thomas, > > > > Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH): > > > Hello, > > > > > >> -----Ursprüngliche Nachricht----- > > >> Von: Peter Kreuser <l...@kreuser.name> > > >> Gesendet: Mittwoch, 10. August 2022 08:44 > > >> An: Tomcat Users List <users@tomcat.apache.org> > > >> Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I > > >> have sslProtocol="TLSv1.2" > > >> > > >> > > >> > > >> James, > > >> > > >> the most recent connector attribute is "protocols". The documentation > > >> is a bit vague on this saying there is an overlap between the two, > > >> yet I don't know if the overlap is there if protocols is unset and > > >> defaults to "all".... > > >> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > >> > > >> Peter > > >> > > >> > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > > >> <jam...@touchtonecorp.com.invalid>: > > >> > > > >> > I think this may have come up before, but I don't recall how it was > > resolved. > > >> > > > >> > On customer box #1, I have: > > >> > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> address="<REDACTED>" > > >> > maxThreads="400" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > > >> keyAlias="<REDACTED>" > > >> > > > >> > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > > >> > > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > >> > > > >> > But on customer box #2, I have: > > >> > > > >> > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11Protocol" > > >> > maxThreads="150" SSLEnabled="true" scheme="https" > > secure="true" > > >> > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > > >> keyAlias="<REDACTED>" > > >> > clientAuth="false" sslProtocol="TLSv1.2" /> > > >> > > > >> > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and > TLSv1.2. > > >> > > > >> > What could be wrong here? I vaguely recall seeing something like > this > > before. > > >> > > > >> > -- > > >> > JHHL > > >> > > > >> > ------------------------------------------------------------------- > > >> > -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > >> > For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > > > > > > I have configured my connector as follows: > > > <Connector port="443" > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpleme > > ntation" > > > maxThreads="150" minSpareThreads="25" > > > URIEncoding="UTF-8" useBodyEncodingForURI="false" > > > enableLookups="false" disableUploadTimeout="true" > > > acceptCount="100" scheme="https" secure="true" > > > SSLEnabled="true" > > > compression="off" > > > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > > /> > > > <SSLHostConfig > > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > > disableSessionTickets="true" > > honorCipherOrder="false" > > > protocols="+TLSv1.2,+TLSv1.3"> > > > <Certificate certificateKeyFile="../xx.key" > > > certificateFile="../xx.pem" type="RSA" /> > > > </SSLHostConfig> > > > </Connector> > > > > > > This gives a good grade when checking with ssllabs. > > > Only TLS 1.2 and 1.3 are enabled. > > > > > > > of course SSLHostConfig is the modern and preferred way. But unless you > have > > plenty of time, it's a hassle to migrate many boxes to the new way... > > > > Peter > > > > > Greetins, Thomas > > > > > The attributes are quite similar or the same, just located at other > xml-elements, so you can still use the attributes like "protocols" or > "ciphers". > Just located at different tags. > > Sooner or later the old syntax will get deprecated. So it's usually a > matter of time when you have the hassle ;) > > Greetings, Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
