-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 10/14/14 2:16 PM, James Drews wrote: > Hi, I have a question that may be a bug, or I'm just not doing > something right (I'll happily believe either). > > Configuration: Tomcat 6.0 running on Windows Server The > tcnative-1.dll is the latest from the download site > http://tomcat.apache.org/download-native.cgi > > Item #1 > > In our tomcat server.xml config, we have: > > <Listener > className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> <Connector port="443" > protocol="org.apache.coyote.http11.Http11AprProtocol" > maxHttpHeaderSize="8192" scheme="https" secure="true" > SSLEnabled="true" SSLDisableCompression="true" > SSLHonorCipherOrder="true" SSLProtocol="TLSv1+SSLv3" > SSLCertificateFile="certificate.crt" > SSLCertificateKeyFile="certificate.key" > SSLCertificateChainFile="chain.crt" > SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL" > > /> > > The issue here is tomcat is only binding to the IPv4 (0.0.0.0) > address, and not binding to the IPv6 on the box. If I add a > address="0.0.0.0" > > and then duplicate this connector and replace the address option > with: address="::" > > It binds to both IPv4 and IPv6 as expected. However, tomcat will > no longer stop when you try to stop the windows service. I have to > kill the process to get it to stop. If I only have one or the > other of the two connectors present, it will stop as expected. > > Also of note, if I used: > protocol="org.apache.coyote.http11.Http11Protocol" > > instead, it would bind to both IPv4 and IPv6 as expected when no > address option is specified (but that method won't take some of the > options we want to have set). Check the archives; I seem to recall some oddities when it comes to APR's use of network interfaces. > Issue #2 > > We would like to have it use: SSLProtocol="TLSv1" but when you have > just that as the option, it will only talk TLS v1.0, not TLSv1.1 or > TLSv1.2. Looking briefly at the source code, it looks like you only > have the option to specify a combination of TLSv1, SSLv2 and SSLv3. > If we use the option as specified above (TLSv1+SSLv3), it will do > all three TLS versions and SSLv3. > > Is there a way to get it to do TLS and all three versions of it? https://issues.apache.org/bugzilla/show_bug.cgi?id=53952 Unfortunately, TLSv1.1 and TLSv1.2 will not be supported until you have both tcnative 1.1.32 and a Tomcat version that supports the changes. There is not yet a patch for Tomcat 6 for this, while patches have been committed for Tomcat 7 and Tomcat 8. I'm working on a Tomcat 6 patch. > Also, with SSLv2 not specified, it will still accept that > protocol, but in the end will fail because no encryption methods > for it are enabled. Is there a way to have it refuse to talk SSLv2 > from the start? Usually, SSLv2Hello is used to allow a SSLv2 connection to be established. This is generally safe (well, until we all decided that SSLv3 was rubbish). Once the above updates are released, you will be able to select the exact set of protocols you want. You should be able to specify SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" and get all the TLSs and no SSLs. (Also, the definition for "all" has been updated to be "all TLSs and no SSLs" so you could use that, too). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUQVBqAAoJEBzwKT+lPKRY58oP+wU7d3y4971cxC1Bks67Qjo6 YVlX474OI0t6tICff/WsdradBXxSUfqzO0TnNKnc8VttA1n1EEdoevK+KE+x6gO0 n/XRnAwxQvP7gtHfDGHe52zU090eh92slZXVlJcBe6hAX/uEqfJqD+BExz8M6rtk oWgam8d1EPMi+sNXImk+OQUMoKlljqRSDduyRwrQc9AJRn7r0bQQffU9k/WlFR19 8JoNyblq/B2NEiGChQ8s+xMyRyzCiB82oIiRPlXZoh2OR10yhRy6lG+VRuw+akvE Qd79fRIqIoODf2Xp5XpS14ANxLjCxB1Eti49bDa6ydIIWH2QcIiS9DPIvkClVS2s PYVld7kEWrt2z/96/D0lQWt9pnBzOA2TOGGbJvlXtWEvS8MQk5iHfwmJuCa9b/Kf 8mqDAUvIHx/W1NcSS4mT3Tv5vqFCQbhVwmo1doVdjJr+Vzor7EZpZH6oIhEdFvZE Rxu0HZxt/w0Qs3ZnKdCrS3+3ssvyhGUtdPYAHBSHoh+gocida+UJia4XLkeY9CyT bCIftTasPia2UJk+agaDi/HYq4LbzTLy9X6iCoDkkX9Kcms2wl0BEuomRY4BTZDW gtNCfUtCw3Sd0h8f7JakIY7m3Up6cYlIN1Q4vjD2+mn+AGcijgtVg0T3mWalqOY/ dzyFPvA8MkgFVKUnpeFR =u7P8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
