Develop Reference

Enable TLS 1.2 only in apache-tomcat-9 and Java 8

I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java
Openjdk version 1.8.x
Oracle Java 1.8.x
I need to allow TLS 1.2 only.
Please help guide me to achieve this.
I have tried to follow the following links(Not sure if they are outdated).
But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8
How do I disable SSLv3 in tomcat?
Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)
How do I disable SSLv3 support in Apache Tomcat?
Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8

I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1,TLSv1.2">
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>
Please refer this configuration guide and try that out.

If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.
if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
throw new IllegalStateException("Invalid TLS version");
}
This example is from Tomcat 8, but I suspect an option may be available for other containers.

How to install a ssl certificate for tomcat server on a aws linux machine

I have a single AWS ec2 instance without a load balancer. I have apache tomcat server running on the same. How should i install a ssl certificate on the server for the website that i am hosting on the server? I am running a java struts 2 application running on the server.
All the options online are about using ACM with load balancer.

For Tomcat8 I would do the following:
Copy your .p12 to /usr/java/latest/
Add the following to your server.xml file, ensuring the keystoreFile matches the above step and keystorePass corresponds to the cert
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLSv1.2"
keystoreFile="/usr/java/latest/<your.p12>"
keystorePass="<add passwd here>" keystoreType="PKCS12"
connectionTimeout="20000" redirectPort="8443"
proxyPort="443" server="NunYa"
proxyName="<fqdn>" />
If you want to prevent unencrypted traffic, comment out block in server.xml starting with <Connector port="8080" protocol="HTTP/1.1"
For more details see the references below.
References
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html
http://www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/

You can use ngnix server to route the default 443 port to your tomcat 8080 or 8443 port Amazon instance.
For that you need to buy ssl or get free ssl for 3 month duration via "https://letsencrypt.org" websites.
you can even configure ngnix by using openssl certificate if your going work as a demo purpose.

Configuring TLS on JBOSS 6 AS leads to an ERR_SSL_VERSION_OR_CIPHER_MISMATCH(In Chrome) or ssl_error_no_cypher_overlap(In Mozilla) error

I'm trying to configure TLS on production server.
Application Server: JBoss 6.1.0 Final
JDK: 1.6.31
Following is the code from JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
I've kept the Keystore.jks file at JBOSS_HOME/server/default/conf/
After the HTTPS configurations, the website is opening on IE8 but not on Chrome and Mozilla.
Not opening on Chrome(Version:42.0.2311.135),
Error-ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Not opening on Mozilla(Version:37.0.2),
Error:ssl_error_no_cypher_overlap
However, it is opening on previous versions on Chrome (before v40) and Mozilla(before v33).
I searched about the issue on various sites and blogs.
What I found is that SSL3 is disabled as it is not safe(POODLE and BEAST attack). All modern browsers are supporting TLSv1.2. But while disabling SSL3, they have also disabled SSL3 cipher suites.
I've tried the cipher configuration in HTTP connector like:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2" cipher="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_RC4_128_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>
I have few questions:
While disabling SSL3, does the browsers have also disabled SSL3 cipher suites ?
For TLSv1.2: Is JDK1.7 mandatory on server ?
What configurations do I need to do to overcome the cipher mismatch issue and the website can open on all modern browsers with TLS?
Which ciphers do I need to use ?

I figured the issue. The issue occurred because the SSL certificates were not generated properly. The CA certs were not imported in the keystore file. Due to this mistake, the application was not running on Mozilla and Chrome newer versions. But it was working on IE. It was also working on Mozilla and Chrome previous versions. Not able to figure out why. It might be because of newer updates they should have prevented this.

HTTPS not working on Google Compute Engine

I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.

Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https

SSL Tomcat Configuration

I am using tomcat 5.5 and configured keystore and added this connector inside server.xml file
<Connector port="443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"/>
But I am not sure why when I type in https://locahost the browser tells me "This program cannot display the webpage".

Did you check Tomcat's logs?
Perhaps the connector could not start up.
Perhaps Tomcat could not read or find the .keystore you configured.
Perhaps the .keystore has a password which Tomcat does not know about.
Perhaps another process is already bound to that port.
The logs will probably tell you exactly which of these is going on.

Possibly you have your browser configured to use a web proxy. In this case, make sure that localhost and 127.0.0.1 are exceptions to using this proxy under the browser's preferences or options. ALSO make sure that localhost is mapped to 127.0.0.1 in your /etc/hosts file. Which in windows is under \WINDOWS\system32\drivers\etc\hosts.

Try to add the port
localhost :443