Thank You!!!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
> -----Original Message-----
> From: Kevin Huntly <kmhun...@gmail.com>
> Sent: Thursday, April 20, 2023 11:25 AM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> This is what I have:
>
> <Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
> address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25" enableLookups="false" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata" scheme="https"
> secure="true"
> SSLEnabled="true"
> defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
> proxyName="esolutions.caspersbox.com" proxyPort="443">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig hostName="appsrv.lan"
> protocols="TLSv1.2,TLSv1.3">
> <Certificate
> certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12" type="RSA"
> certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
> </SSLHostConfig>
> </Connector>
> ________________________________________________
>
> Kevin Huntly
> Email: kmhun...@gmail.com
> Cell: 716/424-3311
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
>
> On Thu, Apr 20, 2023 at 12:17 PM <jonmcalexan...@wellsfargo.com.invalid>
> wrote:
>
> > Is this actually Kosher?
> >
> > Open your Tomcat server
> > Open your server.xml file in tomcat
> > Add the connector with TLS protocol as below
> > <Connector port="8453"
> >
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150"
> > maxHttpHeaderSize="16384"
> > compression="on"
> > scheme="https"
> > SSLEnabled="true"
> > secure="true"
> > defaultSSLHostConfigName="test.test">
> > <UpgradeProtocol
> > className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig
> > hostName="test.test"
> > protocols="TLSv1.2"
> >
> >
> >
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
> TH_AES_25
> > 6_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> >
> >
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256
> _CCM,TLS_E
> >
> CDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_
> GCM_SHA256
> > ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES
> _128_GCM_S
> > HA256,TLS_DHE_RSA_WITH_AES_128_CCM,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CC
> M_8,TLS_EC
> > DHE_ECDSA_WITH_AES_128_CCM_8,
> >
> >
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH
> _CHACHA20_
> > POLY1305_SHA256,
> >
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > <Certificate
> > certificateKeystoreFile="<path to certificate keystore
> > (JKS)>"
> > certificateKeystorePassword ="${keystore.pass}"
> > certificateKeyPassword="${keystore.pass}"
> > certificateKeyAlias="<ALIAS>"
> > />
> > </SSLHostConfig>
> > </Connector> Now, restart your Tomcat.
> >
> > If so, do we just add the TLS 1.3 ciphers to the list?
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -----Original Message-----
> > > From: Christopher Schultz <ch...@christopherschultz.net>
> > > Sent: Thursday, April 20, 2023 10:27 AM
> > > To: Tomcat Users List <users@tomcat.apache.org>
> > > Subject: Re: OT: Tomcat and TLS
> > >
> > > Jon,
> > >
> > > On 4/20/23 10:12, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > > Since TLS 1.2 and 1.3 don't/can't play well with each other (no
> > > > mixed
> > > > mode)
> > > What do you mean by this?
> > >
> > > > [...] is it best to have a TLS 1.2 connector and a separate TLA
> > > > 1.3 connector on a different port, or just go to a TLS 1.3
> > > > connector and hope for backward compat?
> > > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server
> > > should negotiate the highest-supported protocol version shared
> between the two.
> > >
> > > -chris
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
