Thomas,
Am 2022-08-10 08:59, schrieb Thomas Hoffmann (Speed4Trade GmbH):
Hello,
-----Ursprüngliche Nachricht-----
Von: Peter Kreuser <l...@kreuser.name>
Gesendet: Mittwoch, 10. August 2022 08:44
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have
sslProtocol="TLSv1.2"
James,
the most recent connector attribute is "protocols". The documentation
is a bit
vague on this saying there is an overlap between the two, yet I don't
know if the
overlap is there if protocols is unset and defaults to "all"....
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
Peter
> Am 10.08.2022 um 00:15 schrieb James H. H. Lampert
<jam...@touchtonecorp.com.invalid>:
>
> I think this may have come up before, but I don't recall how it was resolved.
>
> On customer box #1, I have:
> <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
address="<REDACTED>"
> maxThreads="400" SSLEnabled="true" scheme="https" secure="true"
> keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
keyAlias="<REDACTED>"
>
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
> clientAuth="false" sslProtocol="TLSv1.2" />
>
> and an SSLLabs scan shows it accepting only TLSv1.2, as it should.
>
> But on customer box #2, I have:
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> keystoreFile="<REDACTED>/tomcat/wttomcat.ks"
keyAlias="<REDACTED>"
> clientAuth="false" sslProtocol="TLSv1.2" />
>
> and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2.
>
> What could be wrong here? I vaguely recall seeing something like this before.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
I have configured my connector as follows:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
maxThreads="150" minSpareThreads="25"
URIEncoding="UTF-8" useBodyEncodingForURI="false"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
compression="off" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig
ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
disableSessionTickets="true" honorCipherOrder="false"
protocols="+TLSv1.2,+TLSv1.3">
<Certificate certificateKeyFile="../xx.key"
certificateFile="../xx.pem" type="RSA" />
</SSLHostConfig>
</Connector>
This gives a good grade when checking with ssllabs.
Only TLS 1.2 and 1.3 are enabled.
of course SSLHostConfig is the modern and preferred way. But unless you
have plenty of time, it's a hassle to migrate many boxes to the new
way...
Peter
Greetins, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
