Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

Tue, 09 Aug 2022 17:35:24 -0700 

On 8/9/22 16:13, James H. H. Lampert wrote:


On customer box #1, I have:

<Connector port="443" 
protocol="org.apache.coyote.http11.Http11Protocol" address="<REDACTED>"
           maxThreads="400" SSLEnabled="true" scheme="https" 
secure="true"
           keystoreFile="<REDACTED>/tomcat/wttomcat.ks" 
keyAlias="<REDACTED>"



ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" 


           clientAuth="false" sslProtocol="TLSv1.2" />

and an SSLLabs scan shows it accepting only TLSv1.2, as it should.

But on customer box #2, I have:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"

           maxThreads="150" SSLEnabled="true" scheme="https" 
secure="true"
           keystoreFile="<REDACTED>/tomcat/wttomcat.ks" 
keyAlias="<REDACTED>"

           clientAuth="false" sslProtocol="TLSv1.2" />

and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2.


What could be wrong here? I vaguely recall seeing something like this 
before. 



I am actually quite clueless about how to configure TLS in Tomcat ... 
but I can see that you clearly have a difference between the two 
configs.  The first one has a ciphers="stuff" section and the second one 
doesn't.  If I had to guess, and I confess I do not know TLS well enough 
to say anything definitively, I believe the ciphers you have listed in 
that config will not work with older TLS versions.



An SSL Labs report for my website (which is using haproxy for TLS, none 
of the backends are Tomcat) shows that it allows three ciphers for TLS 
1.3 and three ciphers for TLS 1.2.



1.3: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, 
TLS_AES_128_GCM_SHA256
1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256



I have more ciphers configured than this, but I am pretty sure that 
these are the only ones in my configured list that work with the newer 
TLS versions.


Thanks,
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to