I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java
Openjdk version 1.8.x
Oracle Java 1.8.x
I need to allow TLS 1.2 only.
Please help guide me to achieve this.
I have tried to follow the following links(Not sure if they are outdated).
But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8
How do I disable SSLv3 in tomcat?
Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)
How do I disable SSLv3 support in Apache Tomcat?
Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8
I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1,TLSv1.2">
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>
Please refer this configuration guide and try that out.
If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.
if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
throw new IllegalStateException("Invalid TLS version");
}
This example is from Tomcat 8, but I suspect an option may be available for other containers.
Related
As per the below link
https://github.com/spring-projects/spring-boot/issues/6164, the following features are removed from tomcat 8.5
a) Class org.apache.tomcat.util.net.ServerSocketFactory no longer exists
b) Class org.apache.tomcat.util.net.jsse.JSSESocketFactory no longer exists
c) Method JSSEImplementaton.getServerSockerFactory(AbstractEndpoint) no longer exists
d) Method JSSEImplementaton.getSSLUtil(AbstractEndpoint) no longer exists
These make our upgrade from tomcat 8.0 to tomcat 8.5.x difficult.
We have two requirements
Tomcat AJP protocol receives encrypted content coming from the HTTP server and gives an encrypted response. This was possible with tomcat 8, by using custom classes implementing tomcat's ServerSocketFactory interface.
Store certificates file for tomcat https in a custom keystore (an XML file)
How these can be achieved in tomcat 8.5? Any suggestions appreciated. (We were doing it in Tomcat 8 using custom SocketFcatory implementing tomcat's interface)
After the connector refactoring the JIoEndpoint that allowed to specify arbitrary ServerSocketFactory is no longer available.
However the AJP connector is almost ready to accept SSL connections if you allow some changes to Tomcat's codebase: the AbstractAjpProtocol class just lacks an implementation of the addSslHostConfig and findSslHostConfigs or better it has implementations that don't store or return anything with a very explicit comment:
SSL is not supported in AJP
If you change them as in AbstractHttp11Protocol, you'll be able to configure an AJP connector the same way you configure a HTTP/1.1 connector:
<Connector SSLEnabled="true" port="8009" protocol="AJP/1.3">
<SSLHostConfig ...>
<Certificate ... />
</SSLHostConfig>
</Connector>
Regarding the certificate storage you can implement your own KeyStoreSpi and security provider and use:
<Certificate certificateKeystoreProvider="your_provider"
certificateKeystoreType="your_type"
... />
I have a single AWS ec2 instance without a load balancer. I have apache tomcat server running on the same. How should i install a ssl certificate on the server for the website that i am hosting on the server? I am running a java struts 2 application running on the server.
All the options online are about using ACM with load balancer.
For Tomcat8 I would do the following:
Copy your .p12 to /usr/java/latest/
Add the following to your server.xml file, ensuring the keystoreFile matches the above step and keystorePass corresponds to the cert
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/usr/java/latest/<your.p12>"
keystorePass="<add passwd here>" keystoreType="PKCS12"
connectionTimeout="20000" redirectPort="8443"
proxyPort="443" server="NunYa"
proxyName="<fqdn>" />
If you want to prevent unencrypted traffic, comment out block in server.xml starting with <Connector port="8080" protocol="HTTP/1.1"
For more details see the references below.
References
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
You can use ngnix server to route the default 443 port to your tomcat 8080 or 8443 port Amazon instance.
For that you need to buy ssl or get free ssl for 3 month duration via "https://letsencrypt.org" websites.
you can even configure ngnix by using openssl certificate if your going work as a demo purpose.
I'm using Tomcat "native" APR to provide SSL. My Connector looks like:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true"
SSLVerifyClient="require"
SSLCertificateFile="..."
SSLCertificateKeyFile="..."
SSLPassword="..."
SSLCACertificateFile="..."
maxThreads="200"
scheme="https"
secure="true"/>
I'm having trouble with the APR side refusing certificates and I want to debug this. How can I enable debug output (logging) for the SSL session on the Tomcat/APR side? Adding "javax.net.debug=ssl" doesn't work, of course, since the APR binary is handling SSL, not Java.
I do have the javax.net.debug=ssl output on my client side, but that's not enough info since the error is being sent from the server (Tomcat/APR).
Try setting this in conf/logging.properties
org.apache.coyote.http2.level = FINE
If you console logging is setup, then you should get a heap of output to the catalina.out file.
I'm trying to configure TLS on production server.
Application Server: JBoss 6.1.0 Final
JDK: 1.6.31
Following is the code from JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
I've kept the Keystore.jks file at JBOSS_HOME/server/default/conf/
After the HTTPS configurations, the website is opening on IE8 but not on Chrome and Mozilla.
Not opening on Chrome(Version:42.0.2311.135),
Error-ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Not opening on Mozilla(Version:37.0.2),
Error:ssl_error_no_cypher_overlap
However, it is opening on previous versions on Chrome (before v40) and Mozilla(before v33).
I searched about the issue on various sites and blogs.
What I found is that SSL3 is disabled as it is not safe(POODLE and BEAST attack). All modern browsers are supporting TLSv1.2. But while disabling SSL3, they have also disabled SSL3 cipher suites.
I've tried the cipher configuration in HTTP connector like:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2" cipher="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_RC4_128_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>
I have few questions:
While disabling SSL3, does the browsers have also disabled SSL3 cipher suites ?
For TLSv1.2: Is JDK1.7 mandatory on server ?
What configurations do I need to do to overcome the cipher mismatch issue and the website can open on all modern browsers with TLS?
Which ciphers do I need to use ?
I figured the issue. The issue occurred because the SSL certificates were not generated properly. The CA certs were not imported in the keystore file. Due to this mistake, the application was not running on Mozilla and Chrome newer versions. But it was working on IE. It was also working on Mozilla and Chrome previous versions. Not able to figure out why. It might be because of newer updates they should have prevented this.
For a site which is running an old version of Java and Tomcat (6 and 5.5 respectively) the latest build of chrome is failing with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION.
And that's fine, since chrome disabled SSLv3 becuase of POODLE. I went to conf/server.xml and specified sslProtocol="TLSv1" explicitly.
The the site opens successfully, but sometimes, some of the resources (js and css only) fail to open with the same ERR_SSL. I use iptables forwarding to Tomcat, so no apache/nginx and no proxies.
Here's a screenshot to illustrate the failures. With cache disabled, you can see that some js and css files are served OK (the actual jsps and all images are always served OK), and some are failing:
I could not find any connection between what's failing, and their declaration. Furthermore, sometimes these are not failing.
Can I do something about it (apart from upgrading Java, which is not guaranteed to work and is a lot of effort, as the site potentially won't work, and have to be recompiled, repackaged, etc), or is it a chrome bug?
Specifying sslProtocol="TLSv1" in the Tomcat <Connector /> element only guarantees that the specified protocol will be available, not that it is the only one available. For example, the connector
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1" ... />
will have SSLv3 and TLSv1 available. In order to disable SSLv3, you need to explicitly say which protocols are enabled using another property. I'm not familiar with the syntax for Tomcat 5, but the syntax for Tomcat 6 is protocols="TLSv1" and Tomcat 7 is sslEnabledProtocols="TLSv1".