For a site which is running an old version of Java and Tomcat (6 and 5.5 respectively) the latest build of chrome is failing with ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION.
And that's fine, since chrome disabled SSLv3 becuase of POODLE. I went to conf/server.xml and specified sslProtocol="TLSv1" explicitly.
The the site opens successfully, but sometimes, some of the resources (js and css only) fail to open with the same ERR_SSL. I use iptables forwarding to Tomcat, so no apache/nginx and no proxies.
Here's a screenshot to illustrate the failures. With cache disabled, you can see that some js and css files are served OK (the actual jsps and all images are always served OK), and some are failing:
I could not find any connection between what's failing, and their declaration. Furthermore, sometimes these are not failing.
Can I do something about it (apart from upgrading Java, which is not guaranteed to work and is a lot of effort, as the site potentially won't work, and have to be recompiled, repackaged, etc), or is it a chrome bug?
Specifying sslProtocol="TLSv1" in the Tomcat <Connector /> element only guarantees that the specified protocol will be available, not that it is the only one available. For example, the connector
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1" ... />
will have SSLv3 and TLSv1 available. In order to disable SSLv3, you need to explicitly say which protocols are enabled using another property. I'm not familiar with the syntax for Tomcat 5, but the syntax for Tomcat 6 is protocols="TLSv1" and Tomcat 7 is sslEnabledProtocols="TLSv1".
Related
I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java
Openjdk version 1.8.x
Oracle Java 1.8.x
I need to allow TLS 1.2 only.
Please help guide me to achieve this.
I have tried to follow the following links(Not sure if they are outdated).
But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8
How do I disable SSLv3 in tomcat?
Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)
How do I disable SSLv3 support in Apache Tomcat?
Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8
I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1,TLSv1.2">
<Certificate certificateKeystoreFile="conf/keystore.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>
Please refer this configuration guide and try that out.
If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.
if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
throw new IllegalStateException("Invalid TLS version");
}
This example is from Tomcat 8, but I suspect an option may be available for other containers.
1/
Install the latest version of tomcat (8.0.28) and run it on java 8 (I'm using the 1.8.0_45 / 64-Bit version).
I'm running the Tomcat on a Windows 7 64-Bit
2/ Enable SSL on Tomcat:
Activate SSL by creating a keystore and uncommenting the https connector in the server.xml file, add
keystoreFile="" keystorePass=""
to the connector.
FYI: here is my connector:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="password"
keystoreFile="/path/to/my/keystore" />
3/ Install Fiddler (www.telerik.com/fiddler) or any other tool to sniff the traffic between your host and the server, the fiddler should run on your host. I did my screen shots with Fiddler.
4/
Go to tools/options/https and check "enable decrypt".
5/
Using Internet explorer 11 (chrome also works but as it compresses the websocket traffic it makes it harder to reach 8KB of data), access your tomcat remotely using https and open the example app at https://server:8443/examples/websocket/echo.xhtml
choose "Programmatic API", hit "Connect", then send a small test message
on fiddler, double click on the websocket session and look at the result in the websocket tab.
Now, try to send a large text of say 20KB, you'll see that the reply is split in frames of 8KB marked "Continuation". There should be a frame marked "Final" which is missing at this point.
Send another small message so that the missing frame is flushed.
Important:
If I connect to a Tomcat running locally on my host I do not reproduce this issue.
If I do not use SSL, I do not reproduce this issue.
Questions:
- why such behavior, did anyone experience the same thing ?
- how to properly troubleshoot this issue ?
- I tried to enable the Tomcat logging but nothing interesting in the logging: org.apache.tomcat.websocket.level = FINE
The issue is apparently OS related:
When Tomcat is on Windows 7 it does not work
When Tomcat is on Windows 10 it works
When Tomcat is on Windows Server 2012 R2 it works
In short this issue a combination of OS (some versions of windows) / SSL and WebSockets.
The "dirty" workaround I found for now is to send a last message to flush the buffer since I have access to the code of the server side.
please let me knwo if you faced such issue as this could be something related to the SSL handshake for some specific windows versions and I don't knwo how to trouble shoot that.
I'm trying to configure TLS on production server.
Application Server: JBoss 6.1.0 Final
JDK: 1.6.31
Following is the code from JBOSS_HOME/server/default/deploy/jbossweb.sar/server.xml:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
I've kept the Keystore.jks file at JBOSS_HOME/server/default/conf/
After the HTTPS configurations, the website is opening on IE8 but not on Chrome and Mozilla.
Not opening on Chrome(Version:42.0.2311.135),
Error-ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Not opening on Mozilla(Version:37.0.2),
Error:ssl_error_no_cypher_overlap
However, it is opening on previous versions on Chrome (before v40) and Mozilla(before v33).
I searched about the issue on various sites and blogs.
What I found is that SSL3 is disabled as it is not safe(POODLE and BEAST attack). All modern browsers are supporting TLSv1.2. But while disabling SSL3, they have also disabled SSL3 cipher suites.
I've tried the cipher configuration in HTTP connector like:
<Connector name="https" protocol="HTTP/1.1" SSLEnabled="true"
port="${jboss.web.https.port}" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/Keystore.jks"
keystorePass="dqwssl" server="Server details not present2"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2" cipher="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH_RC4_128_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"/>
I have few questions:
While disabling SSL3, does the browsers have also disabled SSL3 cipher suites ?
For TLSv1.2: Is JDK1.7 mandatory on server ?
What configurations do I need to do to overcome the cipher mismatch issue and the website can open on all modern browsers with TLS?
Which ciphers do I need to use ?
I figured the issue. The issue occurred because the SSL certificates were not generated properly. The CA certs were not imported in the keystore file. Due to this mistake, the application was not running on Mozilla and Chrome newer versions. But it was working on IE. It was also working on Mozilla and Chrome previous versions. Not able to figure out why. It might be because of newer updates they should have prevented this.
I would like to know if anybody has experience working with SSL and HTTPS on a Google Compute Engine (not GAE) instance. I have been unable to use HTTPS with my website: browsers and online test tools fail to connect to my server.
My environment is ubuntu-1404-trusty-v20141212 and Tomcat 8.
Here's what I did:
I ticked "allow HTTP" and "allow HTTPS traffic" on the instance's network settings
Installed my $4 Comodo certs.
Used as-is Connector configuration on server.xml with only keystore and password added
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/ssl/private/tomcat.keystore"
keystorePass="password"
/>
I get the aforementioned error when I start my Tomcat and go to https://mysite.com:8443. Some diagnostics are:
Log catalina.out doesn't say anything severe.
Using netstat -ntlp |grep :8443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 8500/java shows my tomcat is listening at 8443
Finally I created an AWS EC2 instance with the same environment and installed my SSL certificates. It immediately works without any tinkering with port and firewall.
Any advice on how to make SSL work on GCE is appreciated.
Figured it out myself. As suspected, this does have something to do with firewall.
When allowing HTTPS traffic in a GCE instance, the default port is 443 not 8443.
Either change the listening port or change the firewall rule here:
Google Developers Console->Compute Engine->Networks->the network's
name the instance is associated with->Firewall rules.
Several rules are listed, in my case I need to modify default-allow-https
I'm running a java web app in Eclipse (Helios) using Tomcat 7. The server startups up successfully (duration indicated) however Eclipse's progress bar still spins saying that Tomcat is starting up. Eventually the timeout is reached and an error is thrown.
I believe Tomcat is fine as I've taken the command that it uses and ran it manually in the shell. Tomcat runs fine and I'm able to hit the web app at the expected URL. I can also hit it after it's started up and before the timeout occurs.
I've reinstalled Eclipse, I ran it with clean, I deleted/recreated the server. Nothing has worked. Anybody have any clues?
I had this issue, it seems that the Eclipse calls the application url after start up to make sure it is running.
A proxy client (pshione) had changed the system proxy so the eclipse could not call the start page and thinks that the application is not starting yet!!
I removed the proxy and it works fine now!
Edited:
This can also happen when you start your tomcat with SSL, but the ssl certification is not valid. When you make a call to and invalid SSL certification site, some browser confirm if you want to go one or not, but eclipse can not connect to your invalid ssl site! I suggest test your site with normal http instead of https.
This issue is related to a tomcat configured with HTTPS without a HTTP connector.
I had this SSL connector in server.xml and my tomcat in Eclipse is always showing Starting:
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
I suppose Eclipse uses a HTTP connection to the server to verify that instance of Tomcat is available.
I've solve this problem including an aditional HTTP connector redirecting to HTTPS in server.xml.
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="443"/>
<Connector SSLEnabled="true" asyncTimeout="10000000" clientAuth="false"
connectionTimeout="10000000" keepAliveTimeout="10000000"
keystoreFile="/opt/config/selfsigned.p12" keystorePass="changeit"
keystoreType="PKCS12" maxThreads="200" port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS"/>
With this change my tomcat in Eclipse starts properly showing Debugging state.
Some updates of Java cause problems with Eclipse's networking operation. Specifically, Eclipse tries to use IPv6 instead of IPv4 and sometimes fails. When Eclipse starts up Tomcat, one of the final steps that it does is tests the a debug call to Tomcat. This is likely to be the part that is hanging. Fortunately, the fix is very easy. We simply tell Eclipse to use IPv4 instead.
To do this, edit the eclipse.ini file (found in the Eclipse directory) and add the following to the end of the file on its own line:
-Djava.net.preferIPv4Stack=true
Restart Eclipse and you should be good to go.
I had the same issue, it was due to the connectors I had defined (I only had an AJP connector).
Adding an HTTP connector to Tomcat's server.xml solved the problem.
I've found the answer (just after posting here which, ironically, seems to be how to find answer's to one's own question.)
The answer was that the port was being used by another process. I should've known but upgraded several different packages will do this. But onto the symptoms:
Tomcat starts successfully. Able to hit the application before timeout.
Eclipse looks like it's unable to determine whether the server has started or stopped.
HTTP is currently running under the default of 8080. Unfortunately, my data store was listening at 8080 (my guess as I'm not particularly sure what it does with the port except that it's allocated for jmx). I'm guessing that Eclipse is unable to detect Tomcat at 8080.
I got this problem, it seems that my tomcat version was buggy (tomcat 7.0.23)
switch your tomcat version to another (i.e tomcat 7.0.14) it works for me.
good luck
This could happen if two servlets have been mapped to the same request URL, Tomcat will start up fine but eclipse won't be able to generate the correct web.xml file and therefore won't be able to publish the webApp.
Check your servlet mapping #WebServlet("\TheURLThatShouldInvokeThisServlet") make sure two servlets dont have the same "TheURLThatShouldInvokeThisServlet".
(putting it for the record!)