-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 7/18/20 10:01, Mark Thomas wrote: > On 17/07/2020 21:47, James H. H. Lampert wrote: >> Running two connectors seems to work just fine, but I'm having >> trouble getting one of them to only take TLS 1.2 >> >> In reply to my query: >> >>>> Given all this, is it possible to (1) have Tomcat listen on >>>> two separate HTTPS ports, and (2) have one of the ports >>>> require TLS 1.2, but the other accept something our AS/400 >>>> can use? >> >> On 7/17/20 10:03 AM, Mark Thomas wrote: >> >>> Yes. You need two Connector elements specifying different ports >>> and different protocols. They should be able to use the same >>> certificate configuration. >> >> I just ran a test on our development Amazon EC2 instance, and >> verified that I could listen on two different ports (existing >> 8443 and now 7443), and I limited (or so I thought) 8443 (to >> which I have 443 rerouted through iptables) to TLS 1.2. >> >> Except that SSLLabs tells me it's still accepting TLS 1.0 and >> 1.1! >> >> I commented out the connector for 8443 and restarted Tomcat, but >> it's still giving the same report from SSLLabs. >> >> The connector for 8443 in server.xml looks like this (lines >> truncated): >>> <Connector port="8443" proxyPort="443" >>> protocol="org.apache.coyote.http1$ compression="on" >>> compressionMinSize="2048" noCompressionUserAgents="goz$ >>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >>> clientAuth="false" sslProtocol="TLSv1.2" /> >> >> The 'sslProtocol="TLSv1.2"' clause is copied directly from the >> Tomcat 7 installation on our most security-conscious customer's >> AS/400; this Tomcat is 8.5. Am I specifying it wrong? > > I should probably remind myself why this is the way this is. > > You want: > > sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" > > And to answer my question above, because that is the way the JSSE > API has been written. We should probably just merge these into a single attribute and "do the right thing": 1. If not specified, do nothing unusual 2. If the value includes a ",", use it for sslEnabledProtocols, use "TLS" as sslProtocol 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols Practically speaking, the only useful value for sslProtocol today is "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict sslEnabledProtocols to TLSv1.2 but using the same value for both has the same effect, of course. In the future, if anything other than "TLS" makes sense for sslProtocol, we can change Tomcat to support that. We should also probably have SSLEnabled="true" be the default if any TLS-related configuration option is used on a connector. WDYT? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8UQsgACgkQHPApP6U8 pFhGag/+IjZWCK1XSHsUr51tmTAz9JmK2eIabQsf7fIM3pmjXBCKJqYcsEd6tR// cDAgV/mjA6BRXVpl3D4kCsmp8w8yCghirWXYRj4Qs6aKp3a6KgRsQyB7eDnClfQ0 0ic5pjsd699t1vcBxvwC59drs8HCnzDoEfJu91RyYcMl1s/2UiVG8Fg0k4ztw+GQ abhgdmJILtIe0H8q8t5tOverjAnUXJhfoc0Nxd1FaLFRNHQKS80O9vlXODzz0ngE wDDppmbEI5fcnK1YTp/qJYEQ2Bdn3zvOywWvLeZQYmBEuh0x4wLOQsjFJgwt45uT 3ocIuHAtbqWQOXZ//WzPof91CAIMOPV8nZdBtH5op5RJJpu5dPvnKS73MD/8WZWJ v+YBl9AIrrW/2r+U+h8XfrFpsUNGFwG4pNTE4CtkUdoR+hkcgcX2vSI8zG0OyTuu cwoMcVQsMQPhnMNLIpR/Y+lBce8hf2U8m6Bs5To8EWTclzlY7UuU75vC6SUdP3fv 2ULHtivG9xOiSEX635eiVpQ2U/1vQjH5KugpsdJ1AoiaDUFF+qDFa5fSiqYeBw8z PCuDCyJW89BzCjnbzQH6PKuXE4iRPudsJJ+5fplWwKai3vboR3JX5vUlzczuUfqg FpaOHtHEQ08N7y2NB9KzFe0AdbH8iJ9CY1gwahXgDQ9bQgO9nsY= =qmvC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
