Tomcat 6 APR SSL Issue

Tue, 14 Oct 2014 11:18:06 -0700

Hi, I have a question that may be a bug, or I'm just not doing something right (I'll happily believe either). 

Configuration:
Tomcat 6.0 running on Windows Server
The tcnative-1.dll is the latest from the download site http://tomcat.apache.org/download-native.cgi 

Item #1

In our tomcat server.xml config, we have:


<Listener className="org.apache.catalina.core.AprLifecycleListener" 
SSLEngine="on" />

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxHttpHeaderSize="8192"
           scheme="https"
           secure="true"
           SSLEnabled="true"
           SSLDisableCompression="true"
           SSLHonorCipherOrder="true"
           SSLProtocol="TLSv1+SSLv3"
           SSLCertificateFile="certificate.crt"
           SSLCertificateKeyFile="certificate.key"

           SSLCertificateChainFile="chain.crt" 
SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL"

    />


The issue here is tomcat is only binding to the IPv4 (0.0.0.0) address, 
and not binding to the IPv6 on the box.  If I add a

address="0.0.0.0"

and then duplicate this connector and replace the address option with:
address="::"


It binds to both IPv4 and IPv6 as expected. However, tomcat will no 
longer stop when you try to stop the windows service. I have to kill the 
process to get it to stop.  If I only have one or the other of the two 
connectors present, it will stop as expected.


Also of note, if I used:
protocol="org.apache.coyote.http11.Http11Protocol"


instead, it would bind to both IPv4 and IPv6 as expected when no address 
option is specified (but that method won't take some of the options we 
want to have set).


Issue #2

We would like to have it use:
  SSLProtocol="TLSv1"

but when you have just that as the option, it will only talk TLS v1.0, 
not TLSv1.1 or TLSv1.2. Looking briefly at the source code, it looks 
like you only have the option to specify a combination of TLSv1, SSLv2 
and SSLv3. If we use the option as specified above (TLSv1+SSLv3), it 
will do all three TLS versions and SSLv3.



Is there a way to get it to do TLS and all three versions of it? Also, 
with SSLv2 not specified, it will still accept that protocol, but in the 
end will fail because no encryption methods for it are enabled. Is there 
a way to have it refuse to talk SSLv2 from the start?


Thanks
James





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to