Re: Need configuration example for Tomcat 7.0.55 TLS configuration

[Terence M. Bandoian]

On 4/6/2015 2:11 AM, Ognjen Blagojevic wrote:

Tom,

On 5.4.2015 3:06, Tom Williamson wrote:

I would like to know if anyone has a working example of getting TLS 1.2
working on Tomcat 7.0.55, so that it can be accessed by the latest
version of Chrome and Firefox.

Which version of Java do you use? Make sure it is Java 7 or 8, and if you already didn't upgrade, then upgrade to the latest released version.

Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among other TLS versions (v1 and v1.1)?

<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="/path/mykeystore"
           keystorePass="password"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLS" />

By specifing protocol="HTTP/1.1" you are using connector auto-detection. Depending on the existance of Tomcat native DLL, Tomcat will automatically select between APR connector and JSSE connector. Those two connectors have completely different set of options. The options you are using (keystoreFile, keystorePass), are clearly indicating you wish to use JSSE connectors. Therefore, to rule out present and future auto-detection problems, I would recommend that you explicitly specify connector you wish to use. E.g. for JSSE BIO connector that would be:

  protocol="org.apache.coyote.http11.Http11Protocol"

Next, sslEnabledProtocols should specify exact TLS versions, so if you need only TLSv1.2 use:

  sslEnabledProtocols="TLSv1.2"

and if you need e.g. all three versions, then omit attribute sslEnabledProtocols, or use:

  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

So far based on the Tomcat 7.0 docs, I have tried the following
configuration changes:

sslEnabledProtocols="TLS"
sslEnabledProtocols="TLSv1"
sslEnabledProtocols="TLSv1.1"
sslEnabledProtocols="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"

Except for the first one, all other examples should be working.

With most of these, I don't get any error in the console (I have logging
set to ALL), but I also have not been able to get either Chrome or
Firefox to connect.

I have also tried various combinations of "sslProtocols=" and "cipher=",
also with no luck.

Can anyone post a sample <connector> configuration that works?

Try this:

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false"
           keystoreFile="/path/mykeystore"
           keystorePass="password"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2" />

BTW, the attribute name is "ciphers", not "cipher".

-Ognjen

Nicely done!

-Terence Bandoian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org