8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

htsguru Thu, 27 Apr 2017 07:48:48 -0700

Server version:        Apache Tomcat/8.5.11
Server built:          Jan 10 2017 21:02:52 UTC
Server number:         8.5.11.0
OS Name:               Linux
OS Version:            3.10.0-514.16.1.el7.x86_64
Architecture:          amd64
Java Home:             /usr/java/jdk1.8.0_121/jre
JVM Version:           1.8.0_121-b13
JVM Vendor:            Oracle Corporation
CATALINA_BASE:         /opt/apache-tomcat-8.5.11
CATALINA_HOME:         /opt/apache-tomcat-8.5.11

Command line argument:-Djava.util.logging.config.file=/opt/apache-tomcat-8.5.11/conf/logging.propertiesCommand line argument:-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager

Command line argument: -Duser.timezone=US/Eastern
Command line argument: -Xms128m
Command line argument: -Xmx1024m
Command line argument: -Doracle.jdbc.autoCommitSpecCompliant=false
Command line argument: -Djdk.tls.ephemeralDHKeySize=2048

Command line argument:-Djava.protocol.handler.pkgs=org.apache.catalina.webresources

Command line argument: -Djavax.net.debug=ssl:handshake
Command line argument: -Dcatalina.base=/opt/apache-tomcat-8.5.11
Command line argument: -Dcatalina.home=/opt/apache-tomcat-8.5.11
Command line argument: -Djava.io.tmpdir=/opt/apache-tomcat-8.5.11/temp


Have tested this with both 8.5.11 and 8.5.14.
There are NO logged Exceptions or errors.
Using 8.0 Connector - ssllabs.com reported TLSv1.1 and TLSv1.2

Using 9.0 SSLHostConfig - ssllabs.com reported TLSv1.0 and TLSv1.1 andTLSv1.2

Not being able to turn off TLSv1.0 results in PCI compliance problems.

Each SSLHostConfig needs to be able to support different ciphers, sincesome sites are PCI and some sites support legacy data interfaces.

I couldn't exactly figure out the expected syntax for the protocols, soI tried... (9.0 style)

protocols="+TLSv1.1+TLSv1.2"
protocols="+TLSv1.1,+TLSv1.2"
protocols="+TLSv1.1 +TLSv1.2"
protocols="-TLSv1+TLSv1.1+TLSv1.2"
protocols="-TLSv1.0,+TLSv1.1,+TLSv1.2"

ssllabs.com ALWAYS reports the following 2 ciphers (SSLHostConfigstyle). These ciphers are NOT in the ciphers list.

TLSv1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS

TLSv1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH sect571r1(eq. 15360 bits RSA) FS


server.xml Connector snippet (old style - don't get TLSv1.0)
    <Connector executor="tomcatThreadPool"
               address="192.168.52.13" port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

   <Connector executor="tomcatThreadPool"
               address="192.168.52.13" port="443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="./conf/keystore.jks" keystorePass="mypass"
               keyAlias="myalias1"
               clientAuth="false"
               useServerCipherSuitesOrder="true"
               sslEnabledProtocols="TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
               (etc)
               TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />

   <Connector executor="tomcatThreadPool"
               address="192.168.52.15" port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

    <Connector executor="tomcatThreadPool"
               address="192.168.52.15" port="443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="./conf/keystore.jks" keystorePass="mypass"
               keyAlias="myalias2"
               clientAuth="false"
               useServerCipherSuitesOrder="true"
               sslEnabledProtocols="TLSv1.1,TLSv1.2"
               ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
               (etc)
               TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />



server.xml SSLHostConfig snippet (9.0 style - still get TLSv1.0)
    <Connector address="192.168.52.11" port="443"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
               SSLEnabled="true" scheme="https" secure="true"
               defaultSSLHostConfigName="www.mydomain1.com"
               maxThreads="150" compression="false" enableLookups="false" >

        <SSLHostConfig hostName="www.mydomain1.com">
            <Certificate certificateKeystoreFile="conf/keystore.jks"
                         certificateKeystorePassword="mypass"
                         certificateKeyAlias="mydomain1.com"
                         type="RSA" />
               honorCipherOrder="true"
               protocols="+TLSv1.1+TLSv1.2"
               ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
               (etc)
               TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
        </SSLHostConfig>

        <SSLHostConfig hostName="www.mydomain2.com">
            <Certificate certificateKeystoreFile="conf/keystore.jks"
                         certificateKeystorePassword="mypass"
                         certificateKeyAlias="mydomain2.com"
                         type="RSA" />
               honorCipherOrder="true"
               protocols="+TLSv1.1+TLSv1.2"
               ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
               (etc)
               TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" />
        </SSLHostConfig>

Thanks in advanced for your help !!!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

8.5.11/8.5.14 using SSLHostConfig protocols and ciphers list ignored

Reply via email to