On 8/9/22 16:13, James H. H. Lampert wrote:
On customer box #1, I have:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol" address="<REDACTED>"
maxThreads="400" SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
keyAlias="<REDACTED>"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
clientAuth="false" sslProtocol="TLSv1.2" />
and an SSLLabs scan shows it accepting only TLSv1.2, as it should.
But on customer box #2, I have:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
keyAlias="<REDACTED>"
clientAuth="false" sslProtocol="TLSv1.2" />
and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2.
What could be wrong here? I vaguely recall seeing something like this
before.
I am actually quite clueless about how to configure TLS in Tomcat ...
but I can see that you clearly have a difference between the two
configs. The first one has a ciphers="stuff" section and the second one
doesn't. If I had to guess, and I confess I do not know TLS well enough
to say anything definitively, I believe the ciphers you have listed in
that config will not work with older TLS versions.
An SSL Labs report for my website (which is using haproxy for TLS, none
of the backends are Tomcat) shows that it allows three ciphers for TLS
1.3 and three ciphers for TLS 1.2.
1.3: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256
1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
I have more ciphers configured than this, but I am pretty sure that
these are the only ones in my configured list that work with the newer
TLS versions.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org