QID 38863 - Cryptographically Weak Key Exchange Size
Hi All, A new vulnerability has surfaced regarding TLS and Key Exchange agreement (more specifically the key size.) "The SSL/TLS server supports key exchanges that are cryptographically weaker than recommended. Key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. An attacker with access to sufficient computational power might be able to recover the session key and decrypt session content." We would like to know if Apache Tomcat was flagged by having a weak DH (Diffie Hellman) key exchange or ECDH (Elliptic Curve) key exchange or RSA (Rivest - Shamir - Adleman) key exchange. How do we remediate this vulnerability to match the minimum requirements (RSA & DHE=2048; ECDHE= P-256) ? Thanks, Saicharan
Re: Publishing Tomcat webapp
No because it assumes lets crypt can work on your platform and it assumes you are using docker. Where is the method I posted it the canonical method that requires nothing but running tomcat (the JRE has all the tools you want in it) On Mon, Jul 18, 2022 at 9:18 AM Martynas Jusevičius wrote: > > Hi, > > Wouldn’t this setup be easier to deploy as a Docker container? > We have an image with SSL server cert support: > https://github.com/AtomGraph/letsencrypt-tomcat > > > On Mon, 18 Jul 2022 at 16.09, Aryeh Friedman > wrote: > > > Here are the steps to installing a SSL cert (it varies slightly based > > on who your certificate authority [CA] is): > > > > Generate a CSR with keytool (it must be key tool despite what the > > tomcat docs say since for whatever reason it refuses to import from > > any other SSL tool): > > > > keytool –keystore clientkeystore –genkey –alias mykey > > > > Submit the above to your CA (they will give you directions on how to > > submit it) and have them issued a signed cert for it > > > > The signed cert usually comes with some intermediate files (this is > > the part that varies by CA) which you have to apply in order to the > > keystore (the following is the set of files I use): > > > > keytool -noprompt -importcert -alias AAACertificateServices -file > > AAACertificateServices.crt -keystore sslStore > > > > keytool -importcert -trustcacerts -keystore sslStore -file > > USERTrustRSCA.crt -alias USERTrustRSCA > > > > keytool -importcert -trustcacerts -keystore sslStore -file > > /SectigoRSAOrganizationValidationSecureServerCA.crt -alias > > SectigoRSAOrganizationValidationSecureServerCA > > > > keytool -importcert -trustcacerts -alias mykey (this *MUST* match the > > alias of the CSR you submitted to the CA) > > -file 1008013344repl_2.crt -keystore sslStore > > > > Modify the tomcat server.xml to uncomment out the right https line in > > the config and tell it where to find the sslStore (some OS's force you > > to put it in $TOMCAT_HOME)... for example I do the following: > > > > >protocol="org.apache.coyote.http11.Http11NioProtocol" > >port="443" maxThreads="200" > >scheme="https" secure="true" SSLEnabled="true" > >keystoreFile="/usr/local/apache-tomcat-9.0/keystore" > > keystorePass="mySuperSecretPassword" > >clientAuth="false" sslProtocol="TLS" > > sslEnabledProtocols="TLSv1.2"/> > > > > Restart tomcat and you should have SSL how if you go to https if you > > on port 8080 you will likely want to put in 8443 not 443 > > > > > > References: > > https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html > > > > > > On Mon, Jul 18, 2022 at 8:11 AM Jasmin Ćatić > > wrote: > > > > > > Now I have another setback. > > > I have my tomcat running on the domain name www.mydomain.com and I have > > an > > > SSL certificate on this domain (CA_BUNDLE, Certificate and Key) in my > > > CPanel. > > > How to configure Tomcat to use this SSL and HTTPS protocol. > > > > > > Thanks again for your help > > > > > > pon, 18. srp 2022. u 08:24 Jasmin Ćatić > > napisao > > > je: > > > > > > > Thank you very much. I have done it successfully. > > > > Best regards > > > > JC > > > > > > > > ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) > > > > napisao je: > > > > > > > >> Hello, > > > >> > > > >> > -Ursprüngliche Nachricht- > > > >> > Von: Aryeh Friedman > > > >> > Gesendet: Sonntag, 17. Juli 2022 08:43 > > > >> > An: Tomcat Users List > > > >> > Betreff: Re: Publishing Tomcat webapp > > > >> > > > > >> > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman > > > >> > > > > >> > wrote: > > > >> > > Once you have it pointing to that domain just upload the war file > > to > > > >> > > it > > > >> > and give people the link. > > > >> > > > > >> > Small wording correction... I mean upload the war file as being a > > part > > > >> of the > > > >> > webapp and/or a part of an other webapp you have for downloading... > > > >> > take a look at the download section of the site I list in my > > signature. > > > >> > > > > >> > -- > > > >> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > > >> > > > >> Usually you need 2 things: > > > >> 1) A webserver or webspace. This includes a public IP address > > > >> 2) A domain. You can buy it online. > > > >> > > > >> When you own a domain, you have access to the DNS settings. Create an > > > >> A-Record with the domain-name and point it to the IP address of your > > server. > > > >> If an A-records already exists, modify it to point to the IP address > > of > > > >> the server. > > > >> > > > >> Install tomcat on the webserver and install your web-application. > > > >> Tomcat listens per default on all ports, so no special configuration > > > >> needed (only if you host multiple domains on that server). > > > >> > > > > > > > > > > > > -- > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > > >
AW: Publishing Tomcat webapp
Hello, > -Ursprüngliche Nachricht- > Von: Jasmin Ćatić > Gesendet: Montag, 18. Juli 2022 14:12 > An: Tomcat Users List > Betreff: Re: Publishing Tomcat webapp > > Now I have another setback. > I have my tomcat running on the domain name www.mydomain.com and I > have an SSL certificate on this domain (CA_BUNDLE, Certificate and Key) in > my CPanel. > How to configure Tomcat to use this SSL and HTTPS protocol. > > Thanks again for your help The configuration in detail depends on the Tomcat version you are using. In principal, you have to add a connector element within the server.xml For tomcat 9 e.g.: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html The connector element has attributes for the private and public key (and intermediates). After configuration I recommend to check SSL configuration via SSL-Labs, they offer an online-check. > > pon, 18. srp 2022. u 08:24 Jasmin Ćatić napisao > je: > > > Thank you very much. I have done it successfully. > > Best regards > > JC > > > > ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) > > napisao je: > > > >> Hello, > >> > >> > -Ursprüngliche Nachricht- > >> > Von: Aryeh Friedman > >> > Gesendet: Sonntag, 17. Juli 2022 08:43 > >> > An: Tomcat Users List > >> > Betreff: Re: Publishing Tomcat webapp > >> > > >> > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman > >> > > >> > wrote: > >> > > Once you have it pointing to that domain just upload the war file > >> > > to it > >> > and give people the link. > >> > > >> > Small wording correction... I mean upload the war file as being a > >> > part > >> of the > >> > webapp and/or a part of an other webapp you have for downloading... > >> > take a look at the download section of the site I list in my signature. > >> > > >> > -- > >> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > >> > >> Usually you need 2 things: > >> 1) A webserver or webspace. This includes a public IP address > >> 2) A domain. You can buy it online. > >> > >> When you own a domain, you have access to the DNS settings. Create an > >> A-Record with the domain-name and point it to the IP address of your > server. > >> If an A-records already exists, modify it to point to the IP address > >> of the server. > >> > >> Install tomcat on the webserver and install your web-application. > >> Tomcat listens per default on all ports, so no special configuration > >> needed (only if you host multiple domains on that server). > >> > >
Re: Publishing Tomcat webapp
Hi, Wouldn’t this setup be easier to deploy as a Docker container? We have an image with SSL server cert support: https://github.com/AtomGraph/letsencrypt-tomcat On Mon, 18 Jul 2022 at 16.09, Aryeh Friedman wrote: > Here are the steps to installing a SSL cert (it varies slightly based > on who your certificate authority [CA] is): > > Generate a CSR with keytool (it must be key tool despite what the > tomcat docs say since for whatever reason it refuses to import from > any other SSL tool): > > keytool –keystore clientkeystore –genkey –alias mykey > > Submit the above to your CA (they will give you directions on how to > submit it) and have them issued a signed cert for it > > The signed cert usually comes with some intermediate files (this is > the part that varies by CA) which you have to apply in order to the > keystore (the following is the set of files I use): > > keytool -noprompt -importcert -alias AAACertificateServices -file > AAACertificateServices.crt -keystore sslStore > > keytool -importcert -trustcacerts -keystore sslStore -file > USERTrustRSCA.crt -alias USERTrustRSCA > > keytool -importcert -trustcacerts -keystore sslStore -file > /SectigoRSAOrganizationValidationSecureServerCA.crt -alias > SectigoRSAOrganizationValidationSecureServerCA > > keytool -importcert -trustcacerts -alias mykey (this *MUST* match the > alias of the CSR you submitted to the CA) > -file 1008013344repl_2.crt -keystore sslStore > > Modify the tomcat server.xml to uncomment out the right https line in > the config and tell it where to find the sslStore (some OS's force you > to put it in $TOMCAT_HOME)... for example I do the following: > > protocol="org.apache.coyote.http11.Http11NioProtocol" >port="443" maxThreads="200" >scheme="https" secure="true" SSLEnabled="true" >keystoreFile="/usr/local/apache-tomcat-9.0/keystore" > keystorePass="mySuperSecretPassword" >clientAuth="false" sslProtocol="TLS" > sslEnabledProtocols="TLSv1.2"/> > > Restart tomcat and you should have SSL how if you go to https if you > on port 8080 you will likely want to put in 8443 not 443 > > > References: > https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html > > > On Mon, Jul 18, 2022 at 8:11 AM Jasmin Ćatić > wrote: > > > > Now I have another setback. > > I have my tomcat running on the domain name www.mydomain.com and I have > an > > SSL certificate on this domain (CA_BUNDLE, Certificate and Key) in my > > CPanel. > > How to configure Tomcat to use this SSL and HTTPS protocol. > > > > Thanks again for your help > > > > pon, 18. srp 2022. u 08:24 Jasmin Ćatić > napisao > > je: > > > > > Thank you very much. I have done it successfully. > > > Best regards > > > JC > > > > > > ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) > > > napisao je: > > > > > >> Hello, > > >> > > >> > -Ursprüngliche Nachricht- > > >> > Von: Aryeh Friedman > > >> > Gesendet: Sonntag, 17. Juli 2022 08:43 > > >> > An: Tomcat Users List > > >> > Betreff: Re: Publishing Tomcat webapp > > >> > > > >> > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman > > >> > > > >> > wrote: > > >> > > Once you have it pointing to that domain just upload the war file > to > > >> > > it > > >> > and give people the link. > > >> > > > >> > Small wording correction... I mean upload the war file as being a > part > > >> of the > > >> > webapp and/or a part of an other webapp you have for downloading... > > >> > take a look at the download section of the site I list in my > signature. > > >> > > > >> > -- > > >> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > >> > > >> Usually you need 2 things: > > >> 1) A webserver or webspace. This includes a public IP address > > >> 2) A domain. You can buy it online. > > >> > > >> When you own a domain, you have access to the DNS settings. Create an > > >> A-Record with the domain-name and point it to the IP address of your > server. > > >> If an A-records already exists, modify it to point to the IP address > of > > >> the server. > > >> > > >> Install tomcat on the webserver and install your web-application. > > >> Tomcat listens per default on all ports, so no special configuration > > >> needed (only if you host multiple domains on that server). > > >> > > > > > > > -- > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Publishing Tomcat webapp
Here are the steps to installing a SSL cert (it varies slightly based on who your certificate authority [CA] is): Generate a CSR with keytool (it must be key tool despite what the tomcat docs say since for whatever reason it refuses to import from any other SSL tool): keytool –keystore clientkeystore –genkey –alias mykey Submit the above to your CA (they will give you directions on how to submit it) and have them issued a signed cert for it The signed cert usually comes with some intermediate files (this is the part that varies by CA) which you have to apply in order to the keystore (the following is the set of files I use): keytool -noprompt -importcert -alias AAACertificateServices -file AAACertificateServices.crt -keystore sslStore keytool -importcert -trustcacerts -keystore sslStore -file USERTrustRSCA.crt -alias USERTrustRSCA keytool -importcert -trustcacerts -keystore sslStore -file /SectigoRSAOrganizationValidationSecureServerCA.crt -alias SectigoRSAOrganizationValidationSecureServerCA keytool -importcert -trustcacerts -alias mykey (this *MUST* match the alias of the CSR you submitted to the CA) -file 1008013344repl_2.crt -keystore sslStore Modify the tomcat server.xml to uncomment out the right https line in the config and tell it where to find the sslStore (some OS's force you to put it in $TOMCAT_HOME)... for example I do the following: Restart tomcat and you should have SSL how if you go to https if you on port 8080 you will likely want to put in 8443 not 443 References: https://docs.oracle.com/cd/E19509-01/820-3503/ggezu/index.html On Mon, Jul 18, 2022 at 8:11 AM Jasmin Ćatić wrote: > > Now I have another setback. > I have my tomcat running on the domain name www.mydomain.com and I have an > SSL certificate on this domain (CA_BUNDLE, Certificate and Key) in my > CPanel. > How to configure Tomcat to use this SSL and HTTPS protocol. > > Thanks again for your help > > pon, 18. srp 2022. u 08:24 Jasmin Ćatić napisao > je: > > > Thank you very much. I have done it successfully. > > Best regards > > JC > > > > ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) > > napisao je: > > > >> Hello, > >> > >> > -Ursprüngliche Nachricht- > >> > Von: Aryeh Friedman > >> > Gesendet: Sonntag, 17. Juli 2022 08:43 > >> > An: Tomcat Users List > >> > Betreff: Re: Publishing Tomcat webapp > >> > > >> > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman > >> > > >> > wrote: > >> > > Once you have it pointing to that domain just upload the war file to > >> > > it > >> > and give people the link. > >> > > >> > Small wording correction... I mean upload the war file as being a part > >> of the > >> > webapp and/or a part of an other webapp you have for downloading... > >> > take a look at the download section of the site I list in my signature. > >> > > >> > -- > >> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > >> > >> Usually you need 2 things: > >> 1) A webserver or webspace. This includes a public IP address > >> 2) A domain. You can buy it online. > >> > >> When you own a domain, you have access to the DNS settings. Create an > >> A-Record with the domain-name and point it to the IP address of your > >> server. > >> If an A-records already exists, modify it to point to the IP address of > >> the server. > >> > >> Install tomcat on the webserver and install your web-application. > >> Tomcat listens per default on all ports, so no special configuration > >> needed (only if you host multiple domains on that server). > >> > > -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Publishing Tomcat webapp
Now I have another setback. I have my tomcat running on the domain name www.mydomain.com and I have an SSL certificate on this domain (CA_BUNDLE, Certificate and Key) in my CPanel. How to configure Tomcat to use this SSL and HTTPS protocol. Thanks again for your help pon, 18. srp 2022. u 08:24 Jasmin Ćatić napisao je: > Thank you very much. I have done it successfully. > Best regards > JC > > ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) > napisao je: > >> Hello, >> >> > -Ursprüngliche Nachricht- >> > Von: Aryeh Friedman >> > Gesendet: Sonntag, 17. Juli 2022 08:43 >> > An: Tomcat Users List >> > Betreff: Re: Publishing Tomcat webapp >> > >> > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman >> > >> > wrote: >> > > Once you have it pointing to that domain just upload the war file to >> > > it >> > and give people the link. >> > >> > Small wording correction... I mean upload the war file as being a part >> of the >> > webapp and/or a part of an other webapp you have for downloading... >> > take a look at the download section of the site I list in my signature. >> > >> > -- >> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org >> >> Usually you need 2 things: >> 1) A webserver or webspace. This includes a public IP address >> 2) A domain. You can buy it online. >> >> When you own a domain, you have access to the DNS settings. Create an >> A-Record with the domain-name and point it to the IP address of your server. >> If an A-records already exists, modify it to point to the IP address of >> the server. >> >> Install tomcat on the webserver and install your web-application. >> Tomcat listens per default on all ports, so no special configuration >> needed (only if you host multiple domains on that server). >> >
Re: Publishing Tomcat webapp
Thank you very much. I have done it successfully. Best regards JC ned, 17. srp 2022. u 09:08 Thomas Hoffmann (Speed4Trade GmbH) napisao je: > Hello, > > > -Ursprüngliche Nachricht- > > Von: Aryeh Friedman > > Gesendet: Sonntag, 17. Juli 2022 08:43 > > An: Tomcat Users List > > Betreff: Re: Publishing Tomcat webapp > > > > On Sun, Jul 17, 2022 at 2:39 AM Aryeh Friedman > > > > wrote: > > > Once you have it pointing to that domain just upload the war file to > > > it > > and give people the link. > > > > Small wording correction... I mean upload the war file as being a part > of the > > webapp and/or a part of an other webapp you have for downloading... > > take a look at the download section of the site I list in my signature. > > > > -- > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > Usually you need 2 things: > 1) A webserver or webspace. This includes a public IP address > 2) A domain. You can buy it online. > > When you own a domain, you have access to the DNS settings. Create an > A-Record with the domain-name and point it to the IP address of your server. > If an A-records already exists, modify it to point to the IP address of > the server. > > Install tomcat on the webserver and install your web-application. > Tomcat listens per default on all ports, so no special configuration > needed (only if you host multiple domains on that server). >