Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

2018-10-06 Thread Усманов Азат Анварович
I've been searching the web for any idea why Chrome can do throw empty response 
error with tls1.3 and found this bug 
https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it looks like 
the same sort of a problem,Interestingly enough it does have a fix. My 
knowledge of C  is quite  limited, so could anyone please  look at the patch 
provided by these guys and see if it  is  of any use in case of tomcat-native ?



От: Усманов Азат Анварович 
Отправлено: 25 сентября 2018 г. 11:39
Кому: Tomcat Users List
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

Do I need to file a separate feature request for Tomcat itself?
 The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) 
is for tomcat-native component. I looked through Tomcat changelog, I've found 
that previously TLS1.2 support was added  via enhancement request to tomcat 
native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)

От: Усманов Азат Анварович 
Отправлено: 20 сентября 2018 г. 12:05:07
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

I did file  a feature -enhancement  in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748


От: Christopher Schultz 
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

>  maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="2" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

>  От: Christopher Schultz
>  Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release theirbrowser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> "just work" under certain conditions.
>
> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3)
> by default which might make things tricky when trying to accept
> "all protocols" as described above.
>
> Please let me know if you have any success with an out-of-the-box
> Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in
> Tomcat that might *prevent* TLSv1.3 from being 

Re: Redirecting to https URL when https port is accessed with http scheme

2018-10-06 Thread Martynas Jusevičius
Ettra,

see also this thread:
https://mail-archives.apache.org/mod_mbox/tomcat-users/201808.mbox/%3ccae35vmwcm9dkxmvabofgjb5d_oa07a6mrjxwcgknksbzgjh...@mail.gmail.com%3E

I did this with front nginx eventually.
On Sat, Oct 6, 2018 at 7:29 AM ettra lancelot  wrote:
>
> Thank you for the detailed answer, Chris.
>
> On Sat, Oct 6, 2018 at 2:41 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Etcy,
> >
> > On 10/5/18 14:57, ettra lancelot wrote:
> > > I would like to know whether it's possible to configure tomcat to
> > > automatically redirect to the https URL when https port is access
> > > using http scheme instead of https*.*
> >
> > There is no way to get Tomcat to do this for you right now.
> >
> > There is, however, the possibility of adding such a feature to Tomcat.
> >
> > If you make an HTTP request to Apache httpd on a TLS-enabled port,
> > you'll get a response that says "Looks like you made a mistake".
> >
> > In the past, that would have been a huge pain in the neck for Tomcat,
> > since the TLS handshake was handled *entirely* by the underlying
> > crypto system (e.g. JSSE or APR/OpenSSL). AIUI, that code has been
> > re-written and Tomcat is buffering everything internally and probing
> > the handshake, etc.
> >
> > It should therefore be possible to respond in the way you describe,
> > but I'm not sure how much appetite there is for issuing a redirect
> > rather than just an informational page such as the one httpd returns.
> >
> > Unfortunately, Bill is incorrect when he says that you can write a
> > Filter for this. No application code will ever see a connection over a
> > connection which failed a TLS handshake.
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
> >
> > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu304gACgkQHPApP6U8
> > pFgj9A//SR89S85mbNovDkiRLo/KzlAf64sNNd0RHSsrKkxnwnoGxMwFt2XVIJ5F
> > aNELyTf/mI0UPAyJw6D3W30pWVDtmqjyWe/Xc3YBKCTbDfruxUEGiW3rcSt1jVus
> > RmqirBN3baduSiVyF5CLktXr/82CfqQ0Z4XUtt6NK5Nh7Hz+l6Olt6D7VlP1fcpM
> > 29Q9vEuC5dkmdLoZYOuCleWtKeHOv96nk7pWvOq6P81VAk9SUcUEk9cbVhPosCYV
> > fdUf3ma8fwgJLLfz2LGZEf5Fdo4elRYTNI/OXTWQbJiuFg1umHURKjCoEhUXnzPf
> > FZY6mQr2OM3Yo/iLGBiVRAxrUAVEhXZjLEVE0DuPugDtb1JDX7bCZDKkz6HH+mXy
> > 8A8Ekm/A12I55StC2CMqLSzKErd1q06lT6Xt1y4z76IZe3O6LjGMFfIsTLRVI63w
> > QG1vF2pVDniXyGYozUwPuudJ7to/M9Z1Ls57RKXDXgw8QPxF7waM5vTQuiQDE/DP
> > ECJEnaVeGVtPeCekD8Me56ezAVDRFrDlQKcZD+8PguTGJGpIC7ubByCFgTp1PRZ0
> > GxNA732h7zwTO8hSYzDTbnswwK17MJjYAezjz6ulnw178hJYSd05WJtPA1I8E798
> > QmsCilXAdmp741/QjdE8cLkonmBZHrkE7tm09Jit34I9VlBg3as=
> > =wLba
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org