On 19/07/2020 13:55, Christopher Schultz wrote: > Mark, > > On 7/18/20 10:01, Mark Thomas wrote: >> On 17/07/2020 21:47, James H. H. Lampert wrote: >>> Running two connectors seems to work just fine, but I'm having >>> trouble getting one of them to only take TLS 1.2 >>> >>> In reply to my query: >>> >>>>> Given all this, is it possible to (1) have Tomcat listen on >>>>> two separate HTTPS ports, and (2) have one of the ports >>>>> require TLS 1.2, but the other accept something our AS/400 >>>>> can use? >>> >>> On 7/17/20 10:03 AM, Mark Thomas wrote: >>> >>>> Yes. You need two Connector elements specifying different ports >>>> and different protocols. They should be able to use the same >>>> certificate configuration. >>> >>> I just ran a test on our development Amazon EC2 instance, and >>> verified that I could listen on two different ports (existing >>> 8443 and now 7443), and I limited (or so I thought) 8443 (to >>> which I have 443 rerouted through iptables) to TLS 1.2. >>> >>> Except that SSLLabs tells me it's still accepting TLS 1.0 and >>> 1.1! >>> >>> I commented out the connector for 8443 and restarted Tomcat, but >>> it's still giving the same report from SSLLabs. >>> >>> The connector for 8443 in server.xml looks like this (lines >>> truncated): >>>> <Connector port="8443" proxyPort="443" >>>> protocol="org.apache.coyote.http1$ compression="on" >>>> compressionMinSize="2048" noCompressionUserAgents="goz$ >>>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >>>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >>>> clientAuth="false" sslProtocol="TLSv1.2" /> >>> >>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the >>> Tomcat 7 installation on our most security-conscious customer's >>> AS/400; this Tomcat is 8.5. Am I specifying it wrong? > >> I should probably remind myself why this is the way this is. > >> You want: > >> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" > >> And to answer my question above, because that is the way the JSSE >> API has been written. > > We should probably just merge these into a single attribute and "do > the right thing": > > 1. If not specified, do nothing unusual > 2. If the value includes a ",", use it for sslEnabledProtocols, use > "TLS" as sslProtocol > 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols
Seems reasonable. > Practically speaking, the only useful value for sslProtocol today is > "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict > sslEnabledProtocols to TLSv1.2 but using the same value for both has > the same effect, of course. > > In the future, if anything other than "TLS" makes sense for > sslProtocol, we can change Tomcat to support that. > > We should also probably have SSLEnabled="true" be the default if any > TLS-related configuration option is used on a connector. That might catch a few folks by surprise but it does seem reasonable. I think there is scope in Tomcat 10 to clean up the TLS configuration a little more. We have a couple of months until Jakarta EE 9 is released so there is time to improve this. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
