On 02.03.21 23:50, Peter Kreuser wrote:
Alex,
Am 02.03.2021 um 23:19 schrieb Alex <al-tomcatu...@none.at>:
Hi.
On 02.03.21 23:14, John Larsen wrote:
I usually let the apache webserver or nginx handle the SSL while proxying
to the tomcat.
Unless you need some really fancy rewriting or caching, Tomcat is absolutely
capable to handle this. Even static files are OK nowadays.
To use tomcat's built in server you'll need to import the
SSL certificate into the keystore via your jdk.
That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and
openssl config. (See below)
Even dynamic reloading of SSL configs can be achieved with the jmxproxy.
Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to
the backend, in this case tomcat.
John Larsen
On Tue, Mar 2, 2021 at 3:06 PM Alex <al-tomcatu...@none.at> wrote:
Hi.
I try to make a "good" tomcat config and read the docs.
Now in the Connector doc is the following statement.
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
Each secure connector must define at least one SSLHostConfig.
But when I look into the SSL/TLS Configuration How-To is the snipplet
without SSLHostConfig. What's now the "best" way to setup TLS/SSL
with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
it's the way how the developer think to setup the TLS in tomcat?
I use JSSE as implementation.
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html
```
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
```
You should move this to SSLHostConfig.
Thank you for the clarification, I will do it.
<SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false"
hostName="<hostname>"
protocols="TLSv1.2+TLSv1.3"
certificateVerification="none"
disableCompression="true"
disableSessionTickets="true"
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate certificateKeyFile="${catalina.base}/conf/ssl/server.key"
certificateFile="${catalina.base}/conf/ssl/server.crt"
certificateChainFile="${catalina.base}/conf/ssl/intermediate.pem"
type="RSA" />
</SSLHostConfig>
HTH
Peter
What's your suggestion and opinion to configure the tomcat in a
proper way to use TLS also for the future versions.
Regards
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
