Alex, > Am 02.03.2021 um 23:19 schrieb Alex <al-tomcatu...@none.at>: > > Hi. > >> On 02.03.21 23:14, John Larsen wrote: >> I usually let the apache webserver or nginx handle the SSL while proxying >> to the tomcat.
Unless you need some really fancy rewriting or caching, Tomcat is absolutely capable to handle this. Even static files are OK nowadays. >> To use tomcat's built in server you'll need to import the >> SSL certificate into the keystore via your jdk. That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and openssl config. (See below) Even dynamic reloading of SSL configs can be achieved with the jmxproxy. > > Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to > the backend, in this case tomcat. > >> John Larsen >>> On Tue, Mar 2, 2021 at 3:06 PM Alex <al-tomcatu...@none.at> wrote: >>> Hi. >>> >>> I try to make a "good" tomcat config and read the docs. >>> >>> Now in the Connector doc is the following statement. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support >>> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support >>> >>> Each secure connector must define at least one SSLHostConfig. >>> >>> But when I look into the SSL/TLS Configuration How-To is the snipplet >>> without SSLHostConfig. What's now the "best" way to setup TLS/SSL >>> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if >>> it's the way how the developer think to setup the TLS in tomcat? >>> >>> I use JSSE as implementation. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html >>> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html >>> >>> ``` >>> <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 --> >>> <Connector >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> port="8443" maxThreads="200" >>> scheme="https" secure="true" SSLEnabled="true" >>> keystoreFile="${user.home}/.keystore" keystorePass="changeit" >>> clientAuth="false" sslProtocol="TLS"/> >>> ``` >>> You should move this to SSLHostConfig. <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" hostName="<hostname>" protocols="TLSv1.2+TLSv1.3" certificateVerification="none" disableCompression="true" disableSessionTickets="true" ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> <Certificate certificateKeyFile="${catalina.base}/conf/ssl/server.key" certificateFile="${catalina.base}/conf/ssl/server.crt" certificateChainFile="${catalina.base}/conf/ssl/intermediate.pem" type="RSA" /> </SSLHostConfig> HTH Peter >>> What's your suggestion and opinion to configure the tomcat in a >>> proper way to use TLS also for the future versions. >>> >>> Regards >>> Alex >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org