Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-20 Thread Mark Thomas
On 19/07/2020 13:55, Christopher Schultz wrote:
> Mark,
> 
> On 7/18/20 10:01, Mark Thomas wrote:
>> On 17/07/2020 21:47, James H. H. Lampert wrote:
>>> Running two connectors seems to work just fine, but I'm having
>>> trouble getting one of them to only take TLS 1.2
>>>
>>> In reply to my query:
>>>
> Given all this, is it possible to (1) have Tomcat listen on
> two separate HTTPS ports, and (2) have one of the ports
> require TLS 1.2, but the other accept something our AS/400
> can use?
>>>
>>> On 7/17/20 10:03 AM, Mark Thomas wrote:
>>>
 Yes. You need two Connector elements specifying different ports
 and different protocols. They should be able to use the same
 certificate configuration.
>>>
>>> I just ran a test on our development Amazon EC2 instance, and
>>> verified that I could listen on two different ports (existing
>>> 8443 and now 7443), and I limited (or so I thought) 8443 (to
>>> which I have 443 rerouted through iptables) to TLS 1.2.
>>>
>>> Except that SSLLabs tells me it's still accepting TLS 1.0 and
>>> 1.1!
>>>
>>> I commented out the connector for 8443 and restarted Tomcat, but
>>> it's still giving the same report from SSLLabs.
>>>
>>> The connector for 8443 in server.xml looks like this (lines
>>> truncated):
 >>> protocol="org.apache.coyote.http1$ compression="on"
 compressionMinSize="2048" noCompressionUserAgents="goz$
 maxThreads="1000" socket.appReadBufSize="1024" socket.app$
 keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
 clientAuth="false" sslProtocol="TLSv1.2" />
>>>
>>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the
>>> Tomcat 7 installation on our most security-conscious customer's
>>> AS/400; this Tomcat is 8.5. Am I specifying it wrong?
> 
>> I should probably remind myself why this is the way this is.
> 
>> You want:
> 
>> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
> 
>> And to answer my question above, because that is the way the JSSE
>> API has been written.
> 
> We should probably just merge these into a single attribute and "do
> the right thing":
> 
> 1. If not specified, do nothing unusual
> 2. If the value includes a ",", use it for sslEnabledProtocols, use
> "TLS" as sslProtocol
> 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols

Seems reasonable.

> Practically speaking, the only useful value for sslProtocol today is
> "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
> sslEnabledProtocols to TLSv1.2 but using the same value for both has
> the same effect, of course.
> 
> In the future, if anything other than "TLS" makes sense for
> sslProtocol, we can change Tomcat to support that.
> 
> We should also probably have SSLEnabled="true" be the default if any
> TLS-related configuration option is used on a connector.

That might catch a few folks by surprise but it does seem reasonable.

I think there is scope in Tomcat 10 to clean up the TLS configuration a
little more. We have a couple of months until Jakarta EE 9 is released
so there is time to improve this.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-20 Thread James H. H. Lampert

Mark Thomas and Christopher Schultz wrote:


You want:

sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"

And to answer my question above, because that is the way the JSSE
API has been written.


We should probably just merge these into a single attribute and "do
the right thing":

1. If not specified, do nothing unusual
2. If the value includes a ",", use it for sslEnabledProtocols, use
"TLS" as sslProtocol
3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols

Practically speaking, the only useful value for sslProtocol today is
"TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
sslEnabledProtocols to TLSv1.2 but using the same value for both has
the same effect, of course.

In the future, if anything other than "TLS" makes sense for
sslProtocol, we can change Tomcat to support that.

We should also probably have SSLEnabled="true" be the default if any
TLS-related configuration option is used on a connector.

WDYT?


Well, I think (from direct experience) that for Tomcat 7 running on an 
AS/400, "merge these into a single attribute and 'do the right thing'" 
*is* how it works, so the entirety of Christopher's suggestion makes 
perfect sense to me.


At any rate, thanks to both of you; it works.

Although it does raise the question of whether the observed behavior in 
Tomcat 7 on an AS/400 is a Tomcat 7 thing or an AS/400 thing.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-19 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 7/18/20 10:01, Mark Thomas wrote:
> On 17/07/2020 21:47, James H. H. Lampert wrote:
>> Running two connectors seems to work just fine, but I'm having
>> trouble getting one of them to only take TLS 1.2
>>
>> In reply to my query:
>>
 Given all this, is it possible to (1) have Tomcat listen on
 two separate HTTPS ports, and (2) have one of the ports
 require TLS 1.2, but the other accept something our AS/400
 can use?
>>
>> On 7/17/20 10:03 AM, Mark Thomas wrote:
>>
>>> Yes. You need two Connector elements specifying different ports
>>> and different protocols. They should be able to use the same
>>> certificate configuration.
>>
>> I just ran a test on our development Amazon EC2 instance, and
>> verified that I could listen on two different ports (existing
>> 8443 and now 7443), and I limited (or so I thought) 8443 (to
>> which I have 443 rerouted through iptables) to TLS 1.2.
>>
>> Except that SSLLabs tells me it's still accepting TLS 1.0 and
>> 1.1!
>>
>> I commented out the connector for 8443 and restarted Tomcat, but
>> it's still giving the same report from SSLLabs.
>>
>> The connector for 8443 in server.xml looks like this (lines
>> truncated):
>>> >> protocol="org.apache.coyote.http1$ compression="on"
>>> compressionMinSize="2048" noCompressionUserAgents="goz$
>>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>>> clientAuth="false" sslProtocol="TLSv1.2" />
>>
>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the
>> Tomcat 7 installation on our most security-conscious customer's
>> AS/400; this Tomcat is 8.5. Am I specifying it wrong?
>
> I should probably remind myself why this is the way this is.
>
> You want:
>
> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
>
> And to answer my question above, because that is the way the JSSE
> API has been written.

We should probably just merge these into a single attribute and "do
the right thing":

1. If not specified, do nothing unusual
2. If the value includes a ",", use it for sslEnabledProtocols, use
"TLS" as sslProtocol
3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols

Practically speaking, the only useful value for sslProtocol today is
"TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
sslEnabledProtocols to TLSv1.2 but using the same value for both has
the same effect, of course.

In the future, if anything other than "TLS" makes sense for
sslProtocol, we can change Tomcat to support that.

We should also probably have SSLEnabled="true" be the default if any
TLS-related configuration option is used on a connector.

WDYT?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8UQsgACgkQHPApP6U8
pFhGag/+IjZWCK1XSHsUr51tmTAz9JmK2eIabQsf7fIM3pmjXBCKJqYcsEd6tR//
cDAgV/mjA6BRXVpl3D4kCsmp8w8yCghirWXYRj4Qs6aKp3a6KgRsQyB7eDnClfQ0
0ic5pjsd699t1vcBxvwC59drs8HCnzDoEfJu91RyYcMl1s/2UiVG8Fg0k4ztw+GQ
abhgdmJILtIe0H8q8t5tOverjAnUXJhfoc0Nxd1FaLFRNHQKS80O9vlXODzz0ngE
wDDppmbEI5fcnK1YTp/qJYEQ2Bdn3zvOywWvLeZQYmBEuh0x4wLOQsjFJgwt45uT
3ocIuHAtbqWQOXZ//WzPof91CAIMOPV8nZdBtH5op5RJJpu5dPvnKS73MD/8WZWJ
v+YBl9AIrrW/2r+U+h8XfrFpsUNGFwG4pNTE4CtkUdoR+hkcgcX2vSI8zG0OyTuu
cwoMcVQsMQPhnMNLIpR/Y+lBce8hf2U8m6Bs5To8EWTclzlY7UuU75vC6SUdP3fv
2ULHtivG9xOiSEX635eiVpQ2U/1vQjH5KugpsdJ1AoiaDUFF+qDFa5fSiqYeBw8z
PCuDCyJW89BzCjnbzQH6PKuXE4iRPudsJJ+5fplWwKai3vboR3JX5vUlzczuUfqg
FpaOHtHEQ08N7y2NB9KzFe0AdbH8iJ9CY1gwahXgDQ9bQgO9nsY=
=qmvC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-18 Thread Mark Thomas
On 17/07/2020 21:47, James H. H. Lampert wrote:
> Running two connectors seems to work just fine, but I'm having trouble
> getting one of them to only take TLS 1.2
> 
> In reply to my query:
> 
>>> Given all this, is it possible to (1) have Tomcat listen on two separate
>>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
>>> other accept something our AS/400 can use?
> 
> On 7/17/20 10:03 AM, Mark Thomas wrote:
> 
>> Yes. You need two Connector elements specifying different ports and
>> different protocols. They should be able to use the same certificate
>> configuration.
> 
> I just ran a test on our development Amazon EC2 instance, and verified
> that I could listen on two different ports (existing 8443 and now 7443),
> and I limited (or so I thought) 8443 (to which I have 443 rerouted
> through iptables) to TLS 1.2.
> 
> Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!
> 
> I commented out the connector for 8443 and restarted Tomcat, but it's
> still giving the same report from SSLLabs.
> 
> The connector for 8443 in server.xml looks like this (lines truncated):
>> >    keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>>    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>>    clientAuth="false" sslProtocol="TLSv1.2" />
> 
> The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7
> installation on our most security-conscious customer's AS/400; this
> Tomcat is 8.5. Am I specifying it wrong?

I should probably remind myself why this is the way this is.

You want:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"

And to answer my question above, because that is the way the JSSE API
has been written.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread James H. H. Lampert

On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:

This looks like a cipher, not an alias

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256


As I said, of course it's a cipher. I said up front that the lines were 
truncated, in order to fit in an email.


I can't imagine why seeing the whole connector would make a difference, 
but if anybody wants to see it un-truncated, (albeit with the same 
redactions), it's now also on ServerFault, at

  https://serverfault.com/q/1025706/498231?sem=2

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread James H. H. Lampert

On 7/17/20 2:36 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:

This looks like a cipher, not an alias

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256


It is. The lines are truncated at 72 characters for the email.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread jonmcalexander
This looks like a cipher, not an alias

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: James H. H. Lampert  
Sent: Friday, July 17, 2020 3:47 PM
To: Tomcat Users List 
Subject: Problem with protocols, Re: SSL/TLS issue: can we listen on more than 
one secured port, with different protocols enabled?

Running two connectors seems to work just fine, but I'm having trouble getting 
one of them to only take TLS 1.2

In reply to my query:

>> Given all this, is it possible to (1) have Tomcat listen on two 
>> separate HTTPS ports, and (2) have one of the ports require TLS 1.2, 
>> but the other accept something our AS/400 can use?

On 7/17/20 10:03 AM, Mark Thomas wrote:

> Yes. You need two Connector elements specifying different ports and 
> different protocols. They should be able to use the same certificate 
> configuration.

I just ran a test on our development Amazon EC2 instance, and verified that I 
could listen on two different ports (existing 8443 and now 7443), and I limited 
(or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 
1.2.

Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!

I commented out the connector for 8443 and restarted Tomcat, but it's still 
giving the same report from SSLLabs.

The connector for 8443 in server.xml looks like this (lines truncated):
>  protocol="org.apache.coyote.http1$
>  compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$
>maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>clientAuth="false" sslProtocol="TLSv1.2" />

The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 
installation on our most security-conscious customer's AS/400; this Tomcat is 
8.5. Am I specifying it wrong?

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread James H. H. Lampert
Running two connectors seems to work just fine, but I'm having trouble 
getting one of them to only take TLS 1.2


In reply to my query:


Given all this, is it possible to (1) have Tomcat listen on two separate
HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
other accept something our AS/400 can use?


On 7/17/20 10:03 AM, Mark Thomas wrote:


Yes. You need two Connector elements specifying different ports and
different protocols. They should be able to use the same certificate
configuration.


I just ran a test on our development Amazon EC2 instance, and verified 
that I could listen on two different ports (existing 8443 and now 7443), 
and I limited (or so I thought) 8443 (to which I have 443 rerouted 
through iptables) to TLS 1.2.


Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!

I commented out the connector for 8443 and restarted Tomcat, but it's 
still giving the same report from SSLLabs.


The connector for 8443 in server.xml looks like this (lines truncated):




The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 
installation on our most security-conscious customer's AS/400; this 
Tomcat is 8.5. Am I specifying it wrong?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread jonmcalexander
It works quite well.

Sorry for the top post, I only have outlook and it sucks in this respect.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Mark Thomas  
Sent: Friday, July 17, 2020 12:03 PM
To: users@tomcat.apache.org
Subject: Re: SSL/TLS issue: can we listen on more than one secured port, with 
different protocols enabled?

On 17/07/2020 17:55, James H. H. Lampert wrote:
> I've got an issue here.
> 
> On the one hand, we have a Tomcat server running on Amazon (in a 
> Beanstalk cluster). And we have an AS/400 running an old enough OS 
> that, so far as I'm aware, cannot be configured to use TLS 1.2 at the 
> current OS release level. And that AS/400 needs to access that Tomcat 
> server (which it does, using Scott Klement's open source HTTPAPI 
> product, which has become pretty much an industry standard for the purpose).
> 
> And on the other hand, we are getting a security report from SSLLabs, 
> telling us that our security rating is capped at "B" because we allow 
> TLS 1.0 and 1.1.
> 
> BUT, our entire office is on a static IP address, and we already know 
> how to open a port on our Amazon firewall to only accept traffic from 
> our office IP.
> 
> Given all this, is it possible to (1) have Tomcat listen on two 
> separate HTTPS ports, and (2) have one of the ports require TLS 1.2, 
> but the other accept something our AS/400 can use?

Yes. You need two Connector elements specifying different ports and different 
protocols. They should be able to use the same certificate configuration.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread Mark Thomas
On 17/07/2020 17:55, James H. H. Lampert wrote:
> I've got an issue here.
> 
> On the one hand, we have a Tomcat server running on Amazon (in a
> Beanstalk cluster). And we have an AS/400 running an old enough OS that,
> so far as I'm aware, cannot be configured to use TLS 1.2 at the current
> OS release level. And that AS/400 needs to access that Tomcat server
> (which it does, using Scott Klement's open source HTTPAPI product, which
> has become pretty much an industry standard for the purpose).
> 
> And on the other hand, we are getting a security report from SSLLabs,
> telling us that our security rating is capped at "B" because we allow
> TLS 1.0 and 1.1.
> 
> BUT, our entire office is on a static IP address, and we already know
> how to open a port on our Amazon firewall to only accept traffic from
> our office IP.
> 
> Given all this, is it possible to (1) have Tomcat listen on two separate
> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
> other accept something our AS/400 can use?

Yes. You need two Connector elements specifying different ports and
different protocols. They should be able to use the same certificate
configuration.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

2020-07-17 Thread James H. H. Lampert

I've got an issue here.

On the one hand, we have a Tomcat server running on Amazon (in a 
Beanstalk cluster). And we have an AS/400 running an old enough OS that, 
so far as I'm aware, cannot be configured to use TLS 1.2 at the current 
OS release level. And that AS/400 needs to access that Tomcat server 
(which it does, using Scott Klement's open source HTTPAPI product, which 
has become pretty much an industry standard for the purpose).


And on the other hand, we are getting a security report from SSLLabs, 
telling us that our security rating is capped at "B" because we allow 
TLS 1.0 and 1.1.


BUT, our entire office is on a static IP address, and we already know 
how to open a port on our Amazon firewall to only accept traffic from 
our office IP.


Given all this, is it possible to (1) have Tomcat listen on two separate 
HTTPS ports, and (2) have one of the ports require TLS 1.2, but the 
other accept something our AS/400 can use?


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org