Ezsra,
On 5/24/21 11:18, Ezsra McDonald wrote:
I was unable to identify the issue with debug enabled. I started looking
closer at the error I was getting in the various browsers. Apparently the
SSL is working. The browsers are blocking it because the server is using
something other than TLSv1.2 or better. I was able to prove this using
Safari. When I enabled the older TLS options I was able to connect.
This is excellent information to have.
Tomcat (or BC) should not be throwing NPE under any circumstances, though.
The odd
thing is that I have the connector configured for TLSv1.2. So, that is
where I need to concentrate my efforts now. Why is tomcat not using the
TLSv1.2 protocol?
As a refresher, I have the following configured for the connector.
<Connector executor="tomcatThreadPool"
port="${http.port}"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="50" enableLookups="false" acceptCount="100"
server="Apache"
SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/opt/tomcat/ssl/tomcat_ssl.jks"
keyAlias="tomcat"
keystorePass="**************"
connectionTimeout="20000"/>
Aha. You are using "sslProtocol" which is, unfortunately, a nearly
worthless configuration attribute and *always* causes confusion for
anyone who has never had to deal with the JSSE TLS API.
The configuration attribute you really want to use is:
protocols="TLSv1.2"
The default is "all" which means
"SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3", so all protocols should be
enabled by default.
A SSLscan of the server port shows the following requests were accepted.
Some are TLSv1.2.
sslscan target.host.com:8080|grep Accepted
Accepted TLSv1 256 bits ECDHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 128 bits ECDHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLS11 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS11 256 bits DHE-RSA-AES256-SHA
Accepted TLS11 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS11 128 bits DHE-RSA-AES128-SHA
Accepted TLS12 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLS12 256 bits ECDHE-RSA-AES256-SHA
Accepted TLS12 256 bits DHE-RSA-AES256-GCM-SHA384
Accepted TLS12 256 bits DHE-RSA-AES256-SHA256
Accepted TLS12 256 bits DHE-RSA-AES256-SHA
Accepted TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA256
Accepted TLS12 128 bits ECDHE-RSA-AES128-SHA
Accepted TLS12 128 bits DHE-RSA-AES128-GCM-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA256
Accepted TLS12 128 bits DHE-RSA-AES128-SHA
Most browsers will ignore some subset of the above.
The only "safe" cipher suite listed above is ECDHE-RSA-AES128-GCM-SHA256
and everyone should support *at least* that for the time being. Hmm.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org