Re: Configuring Tomcat to support TLSv1.2

[Joleen Barker]

Hello All,

I wanted to get back to you on this issue since working with the vendor.
Updating the SSL_VERSION parm was the correct thing to do in this case for
this product but it did not have an affect on the outgoing communications
when the application was acting at the client. There was no built in way to
set the product to use TLSv1.2 when  reaching out to the remote server. It
always used TLSv1.0 unless I had only TLSv1.2 defined in the SSL_VERSION
which we would not want to do as then we would loss the ability to support
those connecting to use using TLSv1.0 or 1.1. So it is really the way the
application is coded that caused the issue. I am waiting now for a defect
fix from the vendor. The fix will allow us to specifically program a
specific TLS version if a customer has a requirement to only allow a
specific one so it will not automatically use TLSv1.0.

Let me know if you have any questions and I will try my best to answer.

Thanks for the help again.

Joleen

On Fri, Jun 24, 2016 at 5:04 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Daniel,
>
> On 6/24/16 3:42 PM, Daniel Savard wrote:
> > 2016-06-24 11:50 GMT-04:00 Joleen Barker
> > :
> >
> >> Hi Chris,
> >>
> >> The SSL_VERSION parameter was already defined by the vendor.
> >>
> >>
> > I still would delete the SSL_VERSION from the catalina.sh or
> > comment it at least and adopt the suggested approach to configure
> > everything in the server.xml file instead.
>
> I believe the SSL_VERSION isn't affecting the configuration of the
> server at all, but the application's client configuration (in its role
> as a proxy).
>
> > Without a specific definition of the SSL_VERSION, there will be no
> > constraints on the versions at this point. This SSL_VERSION
> > environment variable will bite you when you will need to upgrade
> > Tomcat to another version.
> >
> >
> >> The web application we use allows users to connect to it via FTP,
> >> FTPS, SSH, AS2, HTTPS, HTTP, etc. to transfer files through it to
> >> different back end servers. The web application is a proxy.
> >>
> >> Without me making the change to the predefined SSL_VERSION
> >> parameter that was originally configured as
> >> "-Dhttps.protocols=TLSv1" to now be configured to
> >> "-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" (thank you for
> >> correcting my typo) our remote party that uses and AS2 client
> >> that is locked down to only using TLSv1.2 connection could now
> >> connect to us successfully and upload a file. So with this change
> >> I was able to accomplish the client to connect to the Tomcat
> >> server. But I am unable to accomplish a successful connection
> >> when Tomcat is acting as the client to reach the remote AS2
> >> server for us to send a file to them. It appears we are not
> >> connecting to them using TLSv1.2 and therefore we are dropped. I
> >> have a ticket open with the vendor on this but they don't seem to
> >> be any help. I was trying to open the Java console on the UNIX
> >> server but I am unable to as I do not have any X11 setup. I am
> >> unable to find a command line option to set what is allowed in
> >> the Java application itself. On one of our test servers a
> >> colleague could open the console and we saw that none of the TLS
> >> options were NOT enabled and only SSLv3 was. I am not sure if
> >> this is the case with this server that I am working on that we
> >> have an outside connection open to be able to work with the
> >> outside customer.  I am unsure if this change would allow us to
> >> reach them. I didn't know what the catalina.sh TLSv1.2 change
> >> versus changing the Java application TLSv1.2 change is really
> >> responsible for. (I know enough to brake stuff...lol) The vendor
> >> is not much help. It's very frustrating so I reach out to this
> >> community and get the help I need.
> >>
> >>
> > The connection that isn't working is initiated by the web
> > application on your Tomcat server as far as I understand. If so,
> > then there is no configuration at the Tomcat level that will
> > resolve this issue. You must look at the SSL debugging info to see
> > what is going on in the negotiation with the remote party. To do
> > that, use the -Djavax.net.debug=ssl option to the JVM and look at
> > the log files (probably catalina.out) You should see the
> > handshaking protocol negotiation.
>
> +1
>
> Or, if possible, have a look at the application's code to see how it's
> configuring itself. Many components that give access to TLS don't
> provide a way to configure it (grr) so it's possible that system
> properties are the only way to go.
>
> > Perhaps your application is not sending a valid certificate or no
> > certificate at all or something like that, which then has nothing
> > to do with the inability to perform a full TLSv1.2 handshaking
> > procedure. Is this connection worked previously using a less secure
> > protocol?
> >
> >
> >> 

Re: Configuring Tomcat to support TLSv1.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 6/24/16 3:42 PM, Daniel Savard wrote:
> 2016-06-24 11:50 GMT-04:00 Joleen Barker
> :
> 
>> Hi Chris,
>> 
>> The SSL_VERSION parameter was already defined by the vendor.
>> 
>> 
> I still would delete the SSL_VERSION from the catalina.sh or
> comment it at least and adopt the suggested approach to configure
> everything in the server.xml file instead.

I believe the SSL_VERSION isn't affecting the configuration of the
server at all, but the application's client configuration (in its role
as a proxy).

> Without a specific definition of the SSL_VERSION, there will be no 
> constraints on the versions at this point. This SSL_VERSION 
> environment variable will bite you when you will need to upgrade 
> Tomcat to another version.
> 
> 
>> The web application we use allows users to connect to it via FTP,
>> FTPS, SSH, AS2, HTTPS, HTTP, etc. to transfer files through it to
>> different back end servers. The web application is a proxy.
>> 
>> Without me making the change to the predefined SSL_VERSION
>> parameter that was originally configured as
>> "-Dhttps.protocols=TLSv1" to now be configured to 
>> "-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" (thank you for
>> correcting my typo) our remote party that uses and AS2 client
>> that is locked down to only using TLSv1.2 connection could now
>> connect to us successfully and upload a file. So with this change
>> I was able to accomplish the client to connect to the Tomcat
>> server. But I am unable to accomplish a successful connection 
>> when Tomcat is acting as the client to reach the remote AS2
>> server for us to send a file to them. It appears we are not
>> connecting to them using TLSv1.2 and therefore we are dropped. I
>> have a ticket open with the vendor on this but they don't seem to
>> be any help. I was trying to open the Java console on the UNIX
>> server but I am unable to as I do not have any X11 setup. I am
>> unable to find a command line option to set what is allowed in 
>> the Java application itself. On one of our test servers a
>> colleague could open the console and we saw that none of the TLS
>> options were NOT enabled and only SSLv3 was. I am not sure if
>> this is the case with this server that I am working on that we
>> have an outside connection open to be able to work with the
>> outside customer.  I am unsure if this change would allow us to 
>> reach them. I didn't know what the catalina.sh TLSv1.2 change
>> versus changing the Java application TLSv1.2 change is really
>> responsible for. (I know enough to brake stuff...lol) The vendor
>> is not much help. It's very frustrating so I reach out to this
>> community and get the help I need.
>> 
>> 
> The connection that isn't working is initiated by the web
> application on your Tomcat server as far as I understand. If so,
> then there is no configuration at the Tomcat level that will
> resolve this issue. You must look at the SSL debugging info to see
> what is going on in the negotiation with the remote party. To do
> that, use the -Djavax.net.debug=ssl option to the JVM and look at
> the log files (probably catalina.out) You should see the
> handshaking protocol negotiation.

+1

Or, if possible, have a look at the application's code to see how it's
configuring itself. Many components that give access to TLS don't
provide a way to configure it (grr) so it's possible that system
properties are the only way to go.

> Perhaps your application is not sending a valid certificate or no 
> certificate at all or something like that, which then has nothing
> to do with the inability to perform a full TLSv1.2 handshaking
> procedure. Is this connection worked previously using a less secure
> protocol?
> 
> 
>> Another interesting thing I found in my testing after the change
>> to the SSL_VERSION was in place was when I connected to the web
>> application using FTPS client using FileZilla in Debug mode to be
>> able to see the connection logging, not only was the key
>> presented to the client from the server using TLSv1.2 but the
>> entire communication used TLSv1.2. Before the change only the key
>> was presented to the client using TLSv1.2 and the rest of the 
>> communications showed TLSv1.0. So somehow the change to the
>> SSL_VERSION parameter allowed this. I am of course the kid that
>> turns around and asks "but why" :-)
> 
> Because previously you didn't complete the TLSv1.2 protocol
> handshaking process given the fact you server didn't support it. It
> then negociated a lesser protocol understood by both parties which
> happen to be TLSv1.0 (the one set by the previous value of
> SSL_VERSION in your catalina.sh startup file).

Yep. This is going to come down to the capabilities of the JVM +
application + support libraries. The good news is you've confirmed
that Tomcat itself can handle an incoming TLSv1.2 connection. That
means that the JVM can support it, so that's one piece of the puzzle
you don't 

RE: Configuring Tomcat to support TLSv1.2

[Caldarale, Charles R]

> From: Daniel Savard [mailto:daniel.sav...@gmail.com] 
> Subject: Re: Configuring Tomcat to support TLSv1.2

> > The SSL_VERSION parameter was already defined by the vendor.

> I still would delete the SSL_VERSION from the catalina.sh or comment it at
> least and adopt the suggested approach to configure everything in the
> server.xml file instead.

The proper place to define environment variables is in bin/setenv.sh, not 
catalina.sh nor startup.sh.  The setenv.sh file (when present) is automatically 
invoked by catalina.sh during Tomcat startup. 

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring Tomcat to support TLSv1.2

[Daniel Savard]

2016-06-24 11:50 GMT-04:00 Joleen Barker :

> Hi Chris,
>
> The SSL_VERSION parameter was already defined by the vendor.
>
>
I still would delete the SSL_VERSION from the catalina.sh or comment it at
least and adopt the suggested approach to configure everything in the
server.xml file instead. Without a specific definition of the SSL_VERSION,
there will be no constraints on the versions at this point. This
SSL_VERSION environment variable will bite you when you will need to
upgrade Tomcat to another version.


> The web application we use allows users to connect to it via FTP, FTPS,
> SSH, AS2, HTTPS, HTTP, etc. to transfer files through it to different back
> end servers. The web application is a proxy.
>
> Without me making the change to the predefined SSL_VERSION parameter that
> was originally configured as "-Dhttps.protocols=TLSv1" to now be configured
> to
> "-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" (thank you for correcting my
> typo) our remote party that uses and AS2 client that is locked down to only
> using TLSv1.2 connection could now connect to us successfully and upload a
> file. So with this change I was able to accomplish the client to connect to
> the Tomcat server. But I am unable to accomplish a successful connection
> when Tomcat is acting as the client to reach the remote AS2 server for us
> to send a file to them. It appears we are not connecting to them using
> TLSv1.2 and therefore we are dropped. I have a ticket open with the vendor
> on this but they don't seem to be any help. I was trying to open the Java
> console on the UNIX server but I am unable to as I do not have any X11
> setup. I am unable to find a command line option to set what is allowed in
> the Java application itself. On one of our test servers a colleague could
> open the console and we saw that none of the TLS options were NOT enabled
> and only SSLv3 was. I am not sure if this is the case with this server that
> I am working on that we have an outside connection open to be able to work
> with the outside customer.  I am unsure if this change would allow us to
> reach them. I didn't know what the catalina.sh TLSv1.2 change versus
> changing the Java application TLSv1.2 change is really responsible for. (I
> know enough to brake stuff...lol) The vendor is not much help. It's very
> frustrating so I reach out to this community and get the help I need.
>
>
The connection that isn't working is initiated by the web application on
your Tomcat server as far as I understand. If so, then there is no
configuration at the Tomcat level that will resolve this issue. You must
look at the SSL debugging info to see what is going on in the negotiation
with the remote party. To do that, use the -Djavax.net.debug=ssl option to
the JVM and look at the log files (probably catalina.out) You should see
the handshaking protocol negotiation.

Perhaps your application is not sending a valid certificate or no
certificate at all or something like that, which then has nothing to do
with the inability to perform a full TLSv1.2 handshaking procedure. Is this
connection worked previously using a less secure protocol?


> Another interesting thing I found in my testing after the change to the
> SSL_VERSION was in place was when I connected to the web application using
> FTPS client using FileZilla in Debug mode to be able to see the connection
> logging, not only was the key presented to the client from the server using
> TLSv1.2 but the entire communication used TLSv1.2. Before the change only
> the key was presented to the client using TLSv1.2 and the rest of the
> communications showed TLSv1.0. So somehow the change to the SSL_VERSION
> parameter allowed this. I am of course the kid that turns around and asks
> "but why" :-)
>
>
Because previously you didn't complete the TLSv1.2 protocol handshaking
process given the fact you server didn't support it. It then negociated a
lesser protocol understood by both parties which happen to be TLSv1.0 (the
one set by the previous value of SSL_VERSION in your catalina.sh startup
file).

-
Daniel Savard

Re: Configuring Tomcat to support TLSv1.2

[Daniel Savard]

2016-06-24 11:15 GMT-04:00 Christopher Schultz :

>
> 
>
No SSL_VERSION environment variable is recognized by a stock Tomcat.
>

I see, however what I meant was the SSL_VERSION variable isn't defined in
the vanilla catalina.sh script. Jolene cleared out this in her next post
saying it was setup by the vendor. I was assuming she was working from a
vanilla installation someone else has customized somewhat, hence my
suggestion to stick on vanilla catalina.sh and so on.

-
Daniel Savard

Re: Configuring Tomcat to support TLSv1.2

[Joleen Barker]

Hi Chris,

The SSL_VERSION parameter was already defined by the vendor.

The web application we use allows users to connect to it via FTP, FTPS,
SSH, AS2, HTTPS, HTTP, etc. to transfer files through it to different back
end servers. The web application is a proxy.

Without me making the change to the predefined SSL_VERSION parameter that
was originally configured as "-Dhttps.protocols=TLSv1" to now be configured
to
"-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" (thank you for correcting my
typo) our remote party that uses and AS2 client that is locked down to only
using TLSv1.2 connection could now connect to us successfully and upload a
file. So with this change I was able to accomplish the client to connect to
the Tomcat server. But I am unable to accomplish a successful connection
when Tomcat is acting as the client to reach the remote AS2 server for us
to send a file to them. It appears we are not connecting to them using
TLSv1.2 and therefore we are dropped. I have a ticket open with the vendor
on this but they don't seem to be any help. I was trying to open the Java
console on the UNIX server but I am unable to as I do not have any X11
setup. I am unable to find a command line option to set what is allowed in
the Java application itself. On one of our test servers a colleague could
open the console and we saw that none of the TLS options were NOT enabled
and only SSLv3 was. I am not sure if this is the case with this server that
I am working on that we have an outside connection open to be able to work
with the outside customer.  I am unsure if this change would allow us to
reach them. I didn't know what the catalina.sh TLSv1.2 change versus
changing the Java application TLSv1.2 change is really responsible for. (I
know enough to brake stuff...lol) The vendor is not much help. It's very
frustrating so I reach out to this community and get the help I need.

Another interesting thing I found in my testing after the change to the
SSL_VERSION was in place was when I connected to the web application using
FTPS client using FileZilla in Debug mode to be able to see the connection
logging, not only was the key presented to the client from the server using
TLSv1.2 but the entire communication used TLSv1.2. Before the change only
the key was presented to the client using TLSv1.2 and the rest of the
communications showed TLSv1.0. So somehow the change to the SSL_VERSION
parameter allowed this. I am of course the kid that turns around and asks
"but why" :-)

-Joleen

On Fri, Jun 24, 2016 at 11:15 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Daniel,
>
> On 6/22/16 12:59 AM, Daniel Savard wrote:
> > 2016-06-21 19:08 GMT-04:00 Joleen Barker
> > :
> >
> >> Hello Daniel,
> >>
> >> Thank you for your replies.
> >>
> >> Yes, I have the Java build 1.7.0_71 installed and I have the
> >> Unlimited security package installed as the application from the
> >> vendor requires it.
> >>
> >> Ok, you say never to edit the catalina,sh. I can change it back.
> >> The settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1"
> >>
> >>
> > I believe this is not from the original version of the file. I have
> > no longer any Tomcat 7 installed to check this, however if I am
> > checking my Tomcat 8 catalina.sh, there is no SSL_VERSION
> > environment variable anywhere. If you are having an already
> > modified catalina.sh, it will be difficult to provide any
> > meaningful guidance.
>
> +1
>
> No SSL_VERSION environment variable is recognized by a stock Tomcat.
>
> Furthermore, the system property "https.protocols" (not that it's
> plural, and Jolene had used the singular noun) only effects the
> default configuration for HttpsURLConnection and URL.openStream calls.
>
> https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_an
> d_https
>
> >> Why is it set for only one version in the catalina.sh what is
> >> having this set to one version limiting us to?
> >>
> >>
> > It seems your catalina.sh has already been modified by someone
> > else. This doesn't look like the vanilla version of the catalina.sh
> > file.
> >
> >
> >> Our connector has this set in it:
> >>
> >> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"
> >>
> >> Is this all we need to allow TLSv1.2 clients to come in and for
> >> Tomcat acting as a client to go out as TLSv1.2?
> >
> > You didn't provide enough details about your connector, so, read
> > this page:
> > https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
>
> The above should be all you need. In fact, current Tomcat versions
> should out-of-the-box support TLSv1.0, TLSv1.1, and TLSv1.2 assuming
> that the JVM supports those protocols as well.
>
> > I assume you are configuring a NIO or BIO connector, then
> > sslProtocol="TLS" is the only needed attribute to support TLSv1,
> > TLSv1.1 and TLSv1.2. The sslEnabledProtocols attribute is not
> > necessary since it overalps with 

Re: Configuring Tomcat to support TLSv1.2

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Daniel,

On 6/22/16 12:59 AM, Daniel Savard wrote:
> 2016-06-21 19:08 GMT-04:00 Joleen Barker
> :
> 
>> Hello Daniel,
>> 
>> Thank you for your replies.
>> 
>> Yes, I have the Java build 1.7.0_71 installed and I have the
>> Unlimited security package installed as the application from the
>> vendor requires it.
>> 
>> Ok, you say never to edit the catalina,sh. I can change it back.
>> The settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1"
>> 
>> 
> I believe this is not from the original version of the file. I have
> no longer any Tomcat 7 installed to check this, however if I am
> checking my Tomcat 8 catalina.sh, there is no SSL_VERSION
> environment variable anywhere. If you are having an already
> modified catalina.sh, it will be difficult to provide any
> meaningful guidance.

+1

No SSL_VERSION environment variable is recognized by a stock Tomcat.

Furthermore, the system property "https.protocols" (not that it's
plural, and Jolene had used the singular noun) only effects the
default configuration for HttpsURLConnection and URL.openStream calls.

https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_an
d_https

>> Why is it set for only one version in the catalina.sh what is
>> having this set to one version limiting us to?
>> 
>> 
> It seems your catalina.sh has already been modified by someone
> else. This doesn't look like the vanilla version of the catalina.sh
> file.
> 
> 
>> Our connector has this set in it:
>> 
>> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"
>> 
>> Is this all we need to allow TLSv1.2 clients to come in and for
>> Tomcat acting as a client to go out as TLSv1.2?
> 
> You didn't provide enough details about your connector, so, read
> this page: 
> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

The above should be all you need. In fact, current Tomcat versions
should out-of-the-box support TLSv1.0, TLSv1.1, and TLSv1.2 assuming
that the JVM supports those protocols as well.

> I assume you are configuring a NIO or BIO connector, then
> sslProtocol="TLS" is the only needed attribute to support TLSv1,
> TLSv1.1 and TLSv1.2. The sslEnabledProtocols attribute is not
> necessary since it overalps with sslProtocol attribute. Note if you
> do not specify this attribute it defaults to TLS anyway.
> 
> If you read the documentation page above, you will see the
> sslProtocol attribute is actually passing the value to Java 7.
> That's why there is no need to temper with the catalina.sh to try
> to set this for Java before hand. The proper way to configure
> Tomcat is to modify files in the conf directory only. Playing with
> files in bin and lib is not a recommended approach.

+1

Jolene, how are you determining that Tomcat is *not* handling TLSv1.2?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXbU6fAAoJEBzwKT+lPKRYKmkP/0kJX7VVA/uQOUa/OBHR0JW8
UvXgPLIpNkjCV7V5rPho1w6Tp+JYpdOvCEfU5baQB8ZX/rUKG6g9leQZOw7FPmTo
uFnmGdXKjXj/BU/2YfjC85+y+pcHCOfDdHMsC9HObo0TIYJr9o2mKhuEBgvl8otD
A8kNkzZZvbhSmvyQ5JJnurYF9P5n4QB/EsfwjOkHeMEP4ifwFXdXVBV2ozeTS4HP
0auydpdYnBlA1pkz0YSggW5kwr/NI/vcySCWIJC4SFMyMnz6z05YSxaGeDuAp3BI
MHMytD/2+wxxAU8kdQQ++gcQqWF6ZNAyJETjOhWKvXWiNawLeV6ruubE1cvRo3PU
BJv85qVLySbzs5eyCSVnypq9MMo8xRDTcd8N7/KNcu/FUUYaxQclaTFkPIBFYfn7
bm3CFdqmUco1kg/Xsk4HIX3je2nubtQPXqhGerc3ax1SehVrEzQDB493/jEYrBYp
RxXYbG2775x4QcN42VaQm4PiwwQUBymoKbm7utqeJMVLXbeBb6VSbWglw31ld2yl
UN59V7yzWScB4HWppsb5RbmAyeNMqX/HFmZy1P2KuC8mHMHYwlcR8FYWx0iYlOZB
iHR7Xf6LfaWyTHxGBMnBtdDXbJH77In1nKXw1Sucl6I0gZe0lHUAFy7tJHG+N/Pc
SfDuRhaC0MDjIXEBuyA2
=SA17
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring Tomcat to support TLSv1.2

[Daniel Savard]

2016-06-21 19:08 GMT-04:00 Joleen Barker :

> Hello Daniel,
>
> Thank you for your replies.
>
> Yes, I have the Java build 1.7.0_71 installed and I have the Unlimited
> security package installed as the application from the vendor requires it.
>
> Ok, you say never to edit the catalina,sh. I can change it back. The
> settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1"
>
>
I believe this is not from the original version of the file. I have no
longer any Tomcat 7 installed to check this, however if I am checking my
Tomcat 8 catalina.sh, there is no SSL_VERSION environment variable
anywhere. If you are having an already modified catalina.sh, it will be
difficult to provide any meaningful guidance.


> Why is it set for only one version in the catalina.sh what is having this
> set to one version limiting us to?
>
>
It seems your catalina.sh has already been modified by someone else. This
doesn't look like the vanilla version of the catalina.sh file.


> Our connector has this set in it:
>
> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"
>
> Is this all we need to allow TLSv1.2 clients to come in and for Tomcat
> acting as a client to go out as TLSv1.2?


You didn't provide enough details about your connector, so, read this page:
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

I assume you are configuring a NIO or BIO connector, then sslProtocol="TLS"
is the only needed attribute to support TLSv1, TLSv1.1 and TLSv1.2. The
sslEnabledProtocols attribute is not necessary since it overalps with
sslProtocol attribute. Note if you do not specify this attribute it
defaults to TLS anyway.

If you read the documentation page above, you will see the sslProtocol
attribute is actually passing the value to Java 7. That's why there is no
need to temper with the catalina.sh to try to set this for Java before
hand. The proper way to configure Tomcat is to modify files in the conf
directory only. Playing with files in bin and lib is not a recommended
approach.


Daniel Savard

Re: Configuring Tomcat to support TLSv1.2

[Joleen Barker]

Hello Daniel,

Thank you for your replies.

Yes, I have the Java build 1.7.0_71 installed and I have the Unlimited
security package installed as the application from the vendor requires it.

Ok, you say never to edit the catalina,sh. I can change it back. The
settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1"

Why is it set for only one version in the catalina.sh what is having this
set to one version limiting us to?

Our connector has this set in it:

sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"

Is this all we need to allow TLSv1.2 clients to come in and for Tomcat
acting as a client to go out as TLSv1.2?

-Joleen



On Tue, Jun 21, 2016 at 5:53 PM, Daniel Savard 
wrote:

> 2016-06-21 14:12 GMT-04:00 Joleen Barker :
>
> > Hello Tomcat friends,
> >
> > I am looking for some understanding on what is happening in my
> environment
> > to make sure I am not missing anything in my settings.
> >
> > Basics:
> > 1) OS is GNU/Linux
> > 2) Java is JDK v1.7
> > 3) Tomcat 7
> >
> > First, this question has come up because we needed to allow TLSv1.2
> > connections to our application. I was looking for how someone would do
> this
> > and found 2 items. The first was to set the java https protocol to allow
> > TLSv1.2 because by default java 7 did not have this enabled. The other
> was
> > to set in Tomcat the SSL_VERSION parameter in catalina.sh. The site I
> read
> > to set the SSL_VERSION in the catalina.sh indicated the user had to do
> this
> > because his Tomcat would not talk to another Tomcat without this set.
> When
> > I went in and looked the SSL_VERSION was set to TLSv1, so I added 1.1 and
> > 1.2 with the following command:
> >
> > SSL_VERSION="-Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2"
> >
> > This change was easy to make but I learned a restart was needed for the
> > change it take place.
> >
>
> Never ever edit catalina.sh, this is bad practice and strongly discouraged.
> This file lies in the official binary distribution tree and should never
> been tempered with. There is other ways to configure properly Tomcat. If
> you change the connector properties, which is what you need to do to enable
> TLSv1.2, there is not turnaround for a restart.
>
>
> >
> > Prior to me finding the change to make above I was reading to make the
> > change for Java (not through Tomcat) I would run the command on the
> command
> > line:
> >
> > java -Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2
> >
> > no matter how I ran this the command would not be taken.
> >
> >
> Of course it would not affect another process than itself. This is totally
> useless to execute this command alone.
>
>
> > I did not think only making the change to the SSL_VERSION was enough but
> my
> > colleague decided to try connecting to the Tomcat server with an SSH
> client
> > and we received the notification that the TLSv1.2 connection was good.
> >
> > We finally were able to get a console working on the server and to our
> > surprise Java's console did not have any of the TLS versions enabled and
> > only the SSL versions.
> >
> > So I am confused here. It doesn't seem like Tomcat is relying on Java's
> > settings matching what is in the catalina.sh file and works without
> setting
> > these in the java console.
> >
> > Why is that?
> >
> > Thanks for improving my knowledge.
> >
> > -Joleen
> >
>
> You need to setup properly Tomcat othewise a setting somewhere may be
> override elsewhere. For your connector to support TLSv1.2, you need to edit
> the server.xml file and nothing else.
>
> The other thing you will need to do, is to make the necessary steps for
> your version of Java to support the TLSv1.2 if it doesn't support it yet.
> You didn't mention which version of Java 7 exactly you are using. Did you
> install the Unlimited JDK security package?
>
> Did you read the documentation on TLS/SSL?
>  http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
>
> -
> Daniel Savard
>

Re: Configuring Tomcat to support TLSv1.2

[Daniel Savard]

2016-06-21 14:12 GMT-04:00 Joleen Barker :

> Hello Tomcat friends,
>
> I am looking for some understanding on what is happening in my environment
> to make sure I am not missing anything in my settings.
>
> Basics:
> 1) OS is GNU/Linux
> 2) Java is JDK v1.7
> 3) Tomcat 7
>
> First, this question has come up because we needed to allow TLSv1.2
> connections to our application. I was looking for how someone would do this
> and found 2 items. The first was to set the java https protocol to allow
> TLSv1.2 because by default java 7 did not have this enabled. The other was
> to set in Tomcat the SSL_VERSION parameter in catalina.sh. The site I read
> to set the SSL_VERSION in the catalina.sh indicated the user had to do this
> because his Tomcat would not talk to another Tomcat without this set. When
> I went in and looked the SSL_VERSION was set to TLSv1, so I added 1.1 and
> 1.2 with the following command:
>
> SSL_VERSION="-Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2"
>
> This change was easy to make but I learned a restart was needed for the
> change it take place.
>

Never ever edit catalina.sh, this is bad practice and strongly discouraged.
This file lies in the official binary distribution tree and should never
been tempered with. There is other ways to configure properly Tomcat. If
you change the connector properties, which is what you need to do to enable
TLSv1.2, there is not turnaround for a restart.


>
> Prior to me finding the change to make above I was reading to make the
> change for Java (not through Tomcat) I would run the command on the command
> line:
>
> java -Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2
>
> no matter how I ran this the command would not be taken.
>
>
Of course it would not affect another process than itself. This is totally
useless to execute this command alone.


> I did not think only making the change to the SSL_VERSION was enough but my
> colleague decided to try connecting to the Tomcat server with an SSH client
> and we received the notification that the TLSv1.2 connection was good.
>
> We finally were able to get a console working on the server and to our
> surprise Java's console did not have any of the TLS versions enabled and
> only the SSL versions.
>
> So I am confused here. It doesn't seem like Tomcat is relying on Java's
> settings matching what is in the catalina.sh file and works without setting
> these in the java console.
>
> Why is that?
>
> Thanks for improving my knowledge.
>
> -Joleen
>

You need to setup properly Tomcat othewise a setting somewhere may be
override elsewhere. For your connector to support TLSv1.2, you need to edit
the server.xml file and nothing else.

The other thing you will need to do, is to make the necessary steps for
your version of Java to support the TLSv1.2 if it doesn't support it yet.
You didn't mention which version of Java 7 exactly you are using. Did you
install the Unlimited JDK security package?

Did you read the documentation on TLS/SSL?
 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

-
Daniel Savard