On Tue, May 21, 2019 at 5:43 PM Mark Thomas <ma...@apache.org> wrote:
> On 21/05/2019 21:46, Christopher Schultz wrote:
> > All,
> >
> > Looking at the legacy-versus-modern TLS configuration (Connector vs
> > SSLHostConfig), it seems easy for an admin to create a configuration
> > that looks like this (paraphrasing):
> >
> > <Connector SSLEngine="on" SSLEnabledProtocols="TLSv1.2" [...]>
> > <SSLHostConfig
> > hostname="mysite.com"
> > SSLCertificateFile="keystore.p12" />
> > </Connector>
> >
> > Where the expectation is that only TLSv1.2 will be enabled for virsual
> > host mysite.com when in fact only the virtual host named ("_default_")
> > will actually be limited to TLSv1.2 and other hosts will accept
> > connections using a TLS handshake with all default enabled protocols
> > (currently TLSv*).
> >
> > This may be surprising and there is no indication that there is
> > something "wrong" with the configuration. Only a TLS handshake probe
> > such as SSL Labs's testing tool will expose the oversight.
> >
> > I propose the following change to the <Connector> and <SSLHostConfig>
> > initialization process:
> >
> > If the <Connector> contains any TLS/SSL-related configuration AND at
> > least one <SSLHostConfig> element is configured, refuse to start the
> > connector (with an appropriate error message).
> >
> > This may cause a small number of configurations to fail to start. The
> > "workaround" is to re-evaluate one's configuration to (a) determine if
> > there was a misconfiguration where expectation and reality don't match
> > and (b) move all TLS/SSL-related configuration options from the
> > <Connector> to each of the <SSLHostConfig> elements.
> >
> > Any objections?
>
Seems like a good idea to me.
>
> None.
>
> Given that the old style configuration is due to be removed in Tomcat
> 10, now is probably a good time to start doing this. I'd add logging a
> warning if the deprecated config style is used.
>
+1
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
