Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
Shawn, On 4/29/22 18:18, Shawn Heisey wrote: Based on what I have been able to figure out, I think it's probably your cipher list. If you are using the standard Java TLS and not the tomcat native library that uses openssl, then your cipher list is unlikely to work -- those look like openssl cipher names, and Java uses different names. Tomcat can accept cipher suite names using either OpenSSL or JSSE naming conventions. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
> -Ursprüngliche Nachricht- > Von: Shawn Heisey > Gesendet: Samstag, 30. April 2022 00:18 > An: users@tomcat.apache.org > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > On 4/29/22 12:14, Kaushal Shriyan wrote: > > Thanks Peter for the link and it worked like a charm. I am running the > > tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have > > enabled the TLSv1.3 protocol as per the below block but when I ran the > > scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> > > No* as per the below scan results. > > > > > connectionTimeout="2" > > SSLEnabled="true" scheme="https" > > ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM- > SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" > > keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" > > clientAuth="false" disableSessionTickets="true" > > honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"* > > redirectPort="8443" /> > > I can think of two possible reasons for a problem like this. > > 1. Your cipher list isn't compatible with TLS 1.3. > 2. You're not running a new enough Java version. (8u261 b12 minimum) > > Based on what I have been able to figure out, I think it's probably your > cipher > list. If you are using the standard Java TLS and not the tomcat native > library > that uses openssl, then your cipher list is unlikely to work -- those look > like > openssl cipher names, and Java uses different names. > > I think this cipher list might get you TLS 1.2 and 1.3 support with Java: > > TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_12 > 8_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECD > HE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA2 > 0_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 > :TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ > AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TL > S_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > To get that list, I converted the cipher list I use in haproxy, which uses > openssl for tls, using the info found here: > > https://stackoverflow.com/a/32654075/2665648 > > Thanks, > Shawn > > That's how I configured the connector and it is using TLS 1.3 A good source for a hardened configuration is also: https://success.qualys.com/discussions/s/question/0D52L6230HeSAI/a-grade-for-tomcat10 Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
On 4/29/22 12:14, Kaushal Shriyan wrote: Thanks Peter for the link and it worked like a charm. I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have enabled the TLSv1.3 protocol as per the below block but when I ran the scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> No* as per the below scan results. SSLEnabled="true" scheme="https" ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" keystoreFile="ssl/hsbcconsent.jks" keystorePass="tomcat" clientAuth="false" disableSessionTickets="true" honorCipherOrder="true" *SSLProtocol="TLSv1.2+TLSv1.3"* redirectPort="8443" /> I can think of two possible reasons for a problem like this. 1. Your cipher list isn't compatible with TLS 1.3. 2. You're not running a new enough Java version. (8u261 b12 minimum) Based on what I have been able to figure out, I think it's probably your cipher list. If you are using the standard Java TLS and not the tomcat native library that uses openssl, then your cipher list is unlikely to work -- those look like openssl cipher names, and Java uses different names. I think this cipher list might get you TLS 1.2 and 1.3 support with Java: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 To get that list, I converted the cipher list I use in haproxy, which uses openssl for tls, using the info found here: https://stackoverflow.com/a/32654075/2665648 Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
Thomas, On 4/29/22 02:44, Thomas Hoffmann (Speed4Trade GmbH) wrote: -Ursprüngliche Nachricht- Von: Christopher Schultz Gesendet: Freitag, 29. April 2022 01:10 An: users@tomcat.apache.org Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x Kaushal, On 4/28/22 15:37, Kaushal Shriyan wrote: On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu wrote: This is what I am using. Hope this helps. https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP Strict Transport Security (HSTS). I will be unable to run tomcat service on port 443 as it is a privileged port for root user only. Currently I am running tomcat service as tomcat user on port 8080. You must use HTTPS to connect to a server in order for the HSTS header to be respected. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict- Transport-Security " Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. " Is your server available via https:// ? If you are running on port 80, that doesn't tell us if it's encrypted. If you are enabling HSTS, how do you expect users to connect to your service if you are running non-secure HTTP on port 8080? -chris Hello, according to https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java the headers are set, if request.isSecure is set to true. Sure, but the browser will ignore it if not served over HTTPS. It's possible to trick Tomcat into thinking that the connection is secure even when the client isn't using HTTPS. (BTW, that's a really old source file. Here's the latest: https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java#L105) So it depends on within the server.xml If behind a proxy with SSL Offloading, this flag can also be set on a plain http connection. Yup. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
Thanks Peter for the link and it worked like a charm. I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core). I have enabled the TLSv1.3 protocol as per the below block but when I ran the scan https://www.ssllabs.com/ssltest/analyze.html, It says *TLS 1.3 -> No* as per the below scan results. https://github.com/drwetter/testssl.sh ./testssl.sh --htmlfile testapp-consent-testpreprod.testapicraft.com.29042022.html testapp-consent-testpreprod.testapicraft.com ### testssl.sh 3.1dev from https://testssl.sh/dev/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ### Using "LibreSSL 2.8.3" [~69 ciphers] on DACADMINs-MacBook-Pro:/usr/bin/openssl (built: "date not available", platform: "information not available") Start 2022-04-29 19:02:41-->> 35.210.220.115:443 ( testapp-consent-testpreprod.testapicraft.com) <<-- Service detected: HTTP Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 not offered TLS 1.1not offered TLS 1.2offered (OK) *TLS 1.3not offered and downgraded to a weaker protocol* NPN/SPDY Local problem: /usr/bin/openssl doesn't support NPN/SPDY ALPN/HTTP2 not offered [image: image.png] Am I missing anything in the /opt/tomcat9/conf/server.xml file? Please comment and guide me. Thanks in advance Best Regards, Kaushal On Fri, Apr 29, 2022 at 12:15 PM Thomas Hoffmann (Speed4Trade GmbH) wrote: > > > > -Ursprüngliche Nachricht- > > Von: Christopher Schultz > > Gesendet: Freitag, 29. April 2022 01:10 > > An: users@tomcat.apache.org > > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > > > Kaushal, > > > > On 4/28/22 15:37, Kaushal Shriyan wrote: > > > On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu wrote: > > > > > >> This is what I am using. Hope this helps. > > >> > > >> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html > > > > > > Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable > > > HTTP Strict Transport Security (HSTS). I will be unable to run tomcat > > > service on port 443 as it is a privileged port for root user only. > > > Currently I am running tomcat service as tomcat user on port 8080. > > > > You must use HTTPS to connect to a server in order for the HSTS header > to be > > respected. > > > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict- > > Transport-Security > > > > " > > Note: The Strict-Transport-Security header is ignored by the browser when > > your site is accessed using HTTP; this is because an attacker may > intercept > > HTTP connections and inject the header or remove it. When your site is > > accessed over HTTPS with no certificate errors, the browser knows your > site > > is HTTPS capable and will honor the Strict-Transport-Security header. > > " > > > > Is your server available via https:// ? If you are running on port 80, > that > > doesn't tell us if it's encrypted. > > > > If you are enabling HSTS, how do you expect users to connect to your > service > > if you are running non-secure HTTP on port 8080? > > > > -chris > > > > Hello, > according to > https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java > the headers are set, if request.isSecure is set to true. > > So it depends on within the server.xml > If behind a proxy with SSL Offloading, this flag can also be set on a > plain http connection. > > Greetings, > Thomas >
AW: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
> -Ursprüngliche Nachricht- > Von: Christopher Schultz > Gesendet: Freitag, 29. April 2022 01:10 > An: users@tomcat.apache.org > Betreff: Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x > > Kaushal, > > On 4/28/22 15:37, Kaushal Shriyan wrote: > > On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu wrote: > > > >> This is what I am using. Hope this helps. > >> > >> https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html > > > > Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable > > HTTP Strict Transport Security (HSTS). I will be unable to run tomcat > > service on port 443 as it is a privileged port for root user only. > > Currently I am running tomcat service as tomcat user on port 8080. > > You must use HTTPS to connect to a server in order for the HSTS header to be > respected. > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict- > Transport-Security > > " > Note: The Strict-Transport-Security header is ignored by the browser when > your site is accessed using HTTP; this is because an attacker may intercept > HTTP connections and inject the header or remove it. When your site is > accessed over HTTPS with no certificate errors, the browser knows your site > is HTTPS capable and will honor the Strict-Transport-Security header. > " > > Is your server available via https:// ? If you are running on port 80, that > doesn't tell us if it's encrypted. > > If you are enabling HSTS, how do you expect users to connect to your service > if you are running non-secure HTTP on port 8080? > > -chris > Hello, according to https://github.com/Oreste-Luci/apache-tomcat-8.0.26-src/blob/master/java/org/apache/catalina/filters/HttpHeaderSecurityFilter.java the headers are set, if request.isSecure is set to true. So it depends on within the server.xml If behind a proxy with SSL Offloading, this flag can also be set on a plain http connection. Greetings, Thomas
Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
Kaushal, On 4/28/22 15:37, Kaushal Shriyan wrote: On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu wrote: This is what I am using. Hope this helps. https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP Strict Transport Security (HSTS). I will be unable to run tomcat service on port 443 as it is a privileged port for root user only. Currently I am running tomcat service as tomcat user on port 8080. You must use HTTPS to connect to a server in order for the HSTS header to be respected. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security " Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header. " Is your server available via https:// ? If you are running on port 80, that doesn't tell us if it's encrypted. If you are enabling HSTS, how do you expect users to connect to your service if you are running non-secure HTTP on port 8080? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
On Fri, Apr 29, 2022 at 12:44 AM Peter Chiu wrote: > This is what I am using. Hope this helps. > > https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html Thanks Peter. Do I need to run tomcat on port 443 or 8443 to enable HTTP Strict Transport Security (HSTS). I will be unable to run tomcat service on port 443 as it is a privileged port for root user only. Currently I am running tomcat service as tomcat user on port 8080. Please suggest further. Thanks in advance Best Regards, Kaushal
Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
This is what I am using. Hope this helps. https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html On Thu, Apr 28, 2022 at 3:11 PM Kaushal Shriyan wrote: > Hi, > > I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 > (Core) and trying to configure HTTP Strict Transport Security (HSTS) > using /opt/tomcat9/conf/web.xml > > # ./version.sh > Using CATALINA_BASE: /opt/tomcat9 > Using CATALINA_HOME: /opt/tomcat9 > Using CATALINA_TMPDIR: /opt/tomcat9/temp > Using JRE_HOME: > /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64 > Using CLASSPATH: > /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar > Using CATALINA_OPTS: > Server version: Apache Tomcat/9.0.56 > Server built: Dec 2 2021 14:30:07 UTC > Server number: 9.0.56.0 > OS Name:Linux > OS Version: 3.10.0-1160.62.1.el7.x86_64 > Architecture: amd64 > JVM Version:1.8.0_322-b06 > JVM Vendor: Red Hat, Inc. > # cat /etc/redhat-release > CentOS Linux release 7.9.2009 (Core) > # > > > > */opt/tomcat9/conf/web.xml* > > httpHeaderSecurity > > > > > org.apache.catalina.filters.HttpHeaderSecurityFilter > > true > > > > hstsEnabled > > true > > > > > > hstsMaxAgeSeconds > > 31536000 > > > > > > hstsIncludeSubDomains > > true > > > > > > > > httpHeaderSecurity > > /* > > REQUEST > > > > > When I scan the https://tomcatURL FQDN using > https://www.ssllabs.com/ssltest/ I do not see the Strict Transport > Security > response header. Please guide me. Thanks in advance > > Best Regards, > > Kaushal >
Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x
Hi, I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009 (Core) and trying to configure HTTP Strict Transport Security (HSTS) using /opt/tomcat9/conf/web.xml # ./version.sh Using CATALINA_BASE: /opt/tomcat9 Using CATALINA_HOME: /opt/tomcat9 Using CATALINA_TMPDIR: /opt/tomcat9/temp Using JRE_HOME: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64 Using CLASSPATH: /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar Using CATALINA_OPTS: Server version: Apache Tomcat/9.0.56 Server built: Dec 2 2021 14:30:07 UTC Server number: 9.0.56.0 OS Name:Linux OS Version: 3.10.0-1160.62.1.el7.x86_64 Architecture: amd64 JVM Version:1.8.0_322-b06 JVM Vendor: Red Hat, Inc. # cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) # > */opt/tomcat9/conf/web.xml* > httpHeaderSecurity > > org.apache.catalina.filters.HttpHeaderSecurityFilter > true > > hstsEnabled > true > > > hstsMaxAgeSeconds > 31536000 > > > hstsIncludeSubDomains > true > > > > httpHeaderSecurity > /* > REQUEST > When I scan the https://tomcatURL FQDN using https://www.ssllabs.com/ssltest/ I do not see the Strict Transport Security response header. Please guide me. Thanks in advance Best Regards, Kaushal