Mark,
On 8/13/21 21:13, Mark Eggers wrote:
On 8/13/2021 5:27 PM, James H. H. Lampert wrote:
While we've been systematically updating our customer boxes, a few of
our customer boxes are still on Tomcat 7.
I've got the following Connector tag set up in server.xml:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
keystoreFile="/wintouch/tomcat/wttomcat.ks" alias="wintouch"
maxThreads="400" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2" compression="on"
compressionMinSize="2048" noCompressionUserAgents="gozilla,
traviata"
compressableMimeType="text/html,text/xml,text/plain,text/css,
text/javascript,text/json,application/x-javascript,
application/javascript,application/json" />
And yet SSLLabs tells me the box in question is still accepting TLS
1.0 and TLS 1.1.
Can anybody shed any light on this? (And yes, I know, "alias" should
be "keyAlias," but it's the only chain in the keystore, so it
shouldn't make any difference.)
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
Search for sslEnabledProtocols
+1
In later versions of Tomcat, there is only one "protocols" configuration
property, and it does "What you expect". The reason for the two separate
configuration settings "sslProtocols" and "sslEnabledProtocols" (oh and
also "SSLProtocol" for APR) is historical.
Down in the JSEE API, you need to request an SSLContext object from a
factory method, and you need to tell that factory what "protocol" you
want. There are a whole host of things you can pass to that factory
method like "TLSv1" and stuff like that, but the documentation says "the
returned object will support that protocol; other protocols may be
supported as well." And guess what? The object you get always supports
all the protocols!
So you need to tell Java what "protocol" you want, but then you may have
to customize the "enabled protocols" if you want to specifically
*disable* a certain protocol version. It's only after 2000 or so that
anybody has been interested in *disabling* anything. Before that, it was
all about being as accepting as possible. These days,
security-mindedness has taken-over and it's appropriate to restrict
things, disable old protocols, etc. And yet the configuration still exists.
In 8.5, we replaced everything with "protocols" which will give you the
exact settings you expect. But for 7.0.x, you still need to set
"sslEnabledProtocols". You should probably never bother setting
"sslProtocol".
I note that you are using "sslProtocol" (which is slightly misspelled
SSLProtocol; I'm not sure if that's a problem) but you are also
explicitly specifying protocol="org.apache.coyote.http11.Http11Protocol"
(which is a confusingly-named configuration setting which picks the
class used to actually handle the byte-level conversation with the
client). SSLProtocol is documented to only be used with the APR
connector, and you are specifically requesting the "blocking Java-based"
connector. So I would guess that SSLProtocol is being completely
ignored. Do you log files say anything about not finding a matching
setting for that configuration property? I would guess "yes, it's in the
logs and we never noticed it."
I think you want your Tomcat 7.x configuration to look like this:
<Connector ...
protocol="org.apache.coyote.http11.Http11Protocol"
sslEnabledProtocols="TLSv1.2"
... and have no other protocol-related configuration settings.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
