Re: Tomcat SSL stops working after an undetermined amount of time

Tue, 25 May 2021 07:51:17 -0700 

Ezsra,

On 5/24/21 11:18, Ezsra McDonald wrote:

I was unable to identify the issue with debug enabled. I started looking
closer at the error I was getting in the various browsers. Apparently the
SSL is working. The browsers are blocking it because the server is using
something other than TLSv1.2 or better. I was able to prove this using
Safari. When I enabled the older TLS options I was able to connect.


This is excellent information to have.

Tomcat (or BC) should not be throwing NPE under any circumstances, though.


The odd
thing is that I have the connector configured for TLSv1.2. So, that is
where I need to concentrate my efforts now. Why is tomcat not using the
TLSv1.2 protocol?

As a refresher, I have the following configured for the connector.
<Connector executor="tomcatThreadPool"
        port="${http.port}"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="50" enableLookups="false" acceptCount="100"
        server="Apache"
        SSLEnabled="true" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLSv1.2"
        keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
        keyAlias="tomcat"
        keystorePass="**************"
        connectionTimeout="20000"/>



Aha. You are using "sslProtocol" which is, unfortunately, a nearly 
worthless configuration attribute and *always* causes confusion for 
anyone who has never had to deal with the JSSE TLS API.


The configuration attribute you really want to use is:

    protocols="TLSv1.2"


The default is "all" which means 
"SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3", so all protocols should be 
enabled by default.



A SSLscan of the server port shows the following requests were accepted.
Some are TLSv1.2.

sslscan target.host.com:8080|grep Accepted
     Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
     Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
     Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
     Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
     Accepted  TLS11  256 bits  ECDHE-RSA-AES256-SHA
     Accepted  TLS11  256 bits  DHE-RSA-AES256-SHA
     Accepted  TLS11  128 bits  ECDHE-RSA-AES128-SHA
     Accepted  TLS11  128 bits  DHE-RSA-AES128-SHA
     Accepted  TLS12  256 bits  ECDHE-RSA-AES256-GCM-SHA384
     Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA384
     Accepted  TLS12  256 bits  ECDHE-RSA-AES256-SHA
     Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
     Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
     Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA
     Accepted  TLS12  128 bits  ECDHE-RSA-AES128-GCM-SHA256
     Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA256
     Accepted  TLS12  128 bits  ECDHE-RSA-AES128-SHA
     Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
     Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA256
     Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA


Most browsers will ignore some subset of the above.


The only "safe" cipher suite listed above is ECDHE-RSA-AES128-GCM-SHA256 
and everyone should support *at least* that for the time being. Hmm.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to