On Tue, May 21, 2019 at 5:43 PM Mark Thomas <ma...@apache.org> wrote:
> On 21/05/2019 21:46, Christopher Schultz wrote: > > All, > > > > Looking at the legacy-versus-modern TLS configuration (Connector vs > > SSLHostConfig), it seems easy for an admin to create a configuration > > that looks like this (paraphrasing): > > > > <Connector SSLEngine="on" SSLEnabledProtocols="TLSv1.2" [...]> > > <SSLHostConfig > > hostname="mysite.com" > > SSLCertificateFile="keystore.p12" /> > > </Connector> > > > > Where the expectation is that only TLSv1.2 will be enabled for virsual > > host mysite.com when in fact only the virtual host named ("_default_") > > will actually be limited to TLSv1.2 and other hosts will accept > > connections using a TLS handshake with all default enabled protocols > > (currently TLSv*). > > > > This may be surprising and there is no indication that there is > > something "wrong" with the configuration. Only a TLS handshake probe > > such as SSL Labs's testing tool will expose the oversight. > > > > I propose the following change to the <Connector> and <SSLHostConfig> > > initialization process: > > > > If the <Connector> contains any TLS/SSL-related configuration AND at > > least one <SSLHostConfig> element is configured, refuse to start the > > connector (with an appropriate error message). > > > > This may cause a small number of configurations to fail to start. The > > "workaround" is to re-evaluate one's configuration to (a) determine if > > there was a misconfiguration where expectation and reality don't match > > and (b) move all TLS/SSL-related configuration options from the > > <Connector> to each of the <SSLHostConfig> elements. > > > > Any objections? > Seems like a good idea to me. > > None. > > Given that the old style configuration is due to be removed in Tomcat > 10, now is probably a good time to start doing this. I'd add logging a > warning if the deprecated config style is used. > +1 > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >