You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jeff Krug <to...@krugs.org> on 2006/03/09 23:08:15 UTC

Requiring TLS with Tomcat 5.5.12

I have a Tomcat 5.5.12 install that is working well (it is a stand-alone
install under Windows 2003 server).  I was given a request to make this
install fully FIPS 140-2 compliant, specifically requiring that Tomcat
not allow SSL 3.0 protocol connections (TLS only).  My config specifies
sslProtocol="TLS" and everything works fine in terms of defaulting to
TLS, but the default behavior here is to allow SSL 3.0 as well (that is
part of the connection negotiation process, I suppose).  

Is there a way to disallow the SSL 3.0 protocol? 

Thanks,
Jeff Krug


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Requiring TLS with Tomcat 5.5.12

Posted by Bill Barker <wb...@wilshire.com>.

"Jeff Krug" <to...@krugs.org> wrote in message 
news:20060310154741.GA13269@angband.org...
>
> Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed:
>> "Jeff Krug" <to...@krugs.org> wrote in message
>> news:20060309220815.GA32226@angband.org...
>> > Is there a way to disallow the SSL 3.0 protocol?
>> >
>>
>> protocols="TLS" on the <Connector /> tag.
>
> I added this, but it did not seem to alter the behavior.  Here is my
> connector tag:
>
> <Connector port="443" maxHttpHeaderSize="8192"
>           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>           enableLookups="false" disableUploadTimeout="true"
>           acceptCount="100" scheme="https" secure="true"
>           clientAuth="false" sslProtocol="TLS" protocols="TLS"
>           keystoreType="PKCS12"
>           keystoreFile="Path:\MyKeyStore.p12"
>           keystorePass="######"
>          />
>
> I can still connect using the SSL 3.0 protocol.  I don't see a protocols
> option listed anywhere in the Tomcat docs on Apache.org either.  Should
> this work?
>

My bad :(.  It should be protocols="TLSv1".

And, yes, it's an undocumented option.

> I am testing this with openssl on a Linux machine with this command:
>
> $openssl s_client -ssl3 -connect My_Tomcat_Hostname:443
>
> <cut all the certificate passing>
>
> ---
> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
> Server public key is 512 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>    Protocol  : SSLv3
>    Cipher    : EDH-RSA-DES-CBC3-SHA
>    Session-ID: <snippd for length>
>    Session-ID-ctx:
>    Master-Key: <snipped for length>
>    Key-Arg   : None
>    Start Time: 1142004945
>    Timeout   : 7200 (sec)
>    Verify return code: 19 (self signed certificate in certificate chain)
> ---
>
> When I don't force the client on the Linux side to request ssl3, the
> protocol specified above is TLSv1 as I want.
>
> It seems like most products kind of blur the boundaries between TLS and
> SSL3 (for example that first line above says TLSv1/SSLv3 as if they are
> the same thing).  I guess they are nearly identical, but unfortunately
> I still need to figure this out.
>
> Any further ideas for what I can try?
>
> Thanks,
> Jeff Krug 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Requiring TLS with Tomcat 5.5.12

Posted by Jeff Krug <to...@krugs.org>.

Thu, Mar 09, at 09:19:PM : Bill Barker has proclaimed:
> "Jeff Krug" <to...@krugs.org> wrote in message 
> news:20060309220815.GA32226@angband.org...
> > Is there a way to disallow the SSL 3.0 protocol?
> >
> 
> protocols="TLS" on the <Connector /> tag.

I added this, but it did not seem to alter the behavior.  Here is my
connector tag:

<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" protocols="TLS"
           keystoreType="PKCS12"
           keystoreFile="Path:\MyKeyStore.p12"
           keystorePass="######"
          />

I can still connect using the SSL 3.0 protocol.  I don't see a protocols
option listed anywhere in the Tomcat docs on Apache.org either.  Should
this work?  

I am testing this with openssl on a Linux machine with this command:

$openssl s_client -ssl3 -connect My_Tomcat_Hostname:443

<cut all the certificate passing>

---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: <snippd for length>
    Session-ID-ctx:
    Master-Key: <snipped for length>
    Key-Arg   : None
    Start Time: 1142004945
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---

When I don't force the client on the Linux side to request ssl3, the
protocol specified above is TLSv1 as I want.  

It seems like most products kind of blur the boundaries between TLS and
SSL3 (for example that first line above says TLSv1/SSLv3 as if they are
the same thing).  I guess they are nearly identical, but unfortunately 
I still need to figure this out.  

Any further ideas for what I can try?

Thanks,
Jeff Krug


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Requiring TLS with Tomcat 5.5.12

Posted by Bill Barker <wb...@wilshire.com>.

"Jeff Krug" <to...@krugs.org> wrote in message 
news:20060309220815.GA32226@angband.org...
>
> I have a Tomcat 5.5.12 install that is working well (it is a stand-alone
> install under Windows 2003 server).  I was given a request to make this
> install fully FIPS 140-2 compliant, specifically requiring that Tomcat
> not allow SSL 3.0 protocol connections (TLS only).  My config specifies
> sslProtocol="TLS" and everything works fine in terms of defaulting to
> TLS, but the default behavior here is to allow SSL 3.0 as well (that is
> part of the connection negotiation process, I suppose).
>
> Is there a way to disallow the SSL 3.0 protocol?
>

protocols="TLS" on the <Connector /> tag.

> Thanks,
> Jeff Krug 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Requiring TLS with Tomcat 5.5.12

Posted by Mark Thomas <ma...@apache.org>.

When starting a new thread (ie sending a message to the list about a
new topic) please do not reply to an existing message and change the
subject line. To many of the list archiving services and mail clients
used by list subscribers this  makes your new message appear as part
of the old thread. This makes it harder for other users to find
relevant information when searching the lists.

This is known as thread hijacking and is behaviour that is frowned
upon on this list. Frequent offenders will be removed from the list.
It should also be noted that many list subscribers automatically
ignore any messages that hijack another thread.

The correct procedure is to create a new message with a new subject.
This will start a new thread.

Mark
tomcat-user-owner




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org