You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by James Drews <dr...@engr.wisc.edu> on 2014/10/14 20:16:53 UTC

Tomcat 6 APR SSL Issue

Hi, I have a question that may be a bug, or I'm just not doing something 
right (I'll happily believe either).

Configuration:
Tomcat 6.0 running on Windows Server
The tcnative-1.dll is the latest from the download site 
http://tomcat.apache.org/download-native.cgi

Item #1

In our tomcat server.xml config, we have:

<Listener className="org.apache.catalina.core.AprLifecycleListener" 
SSLEngine="on" />
<Connector port="443"
            protocol="org.apache.coyote.http11.Http11AprProtocol"
            maxHttpHeaderSize="8192"
            scheme="https"
            secure="true"
            SSLEnabled="true"
            SSLDisableCompression="true"
            SSLHonorCipherOrder="true"
            SSLProtocol="TLSv1+SSLv3"
            SSLCertificateFile="certificate.crt"
            SSLCertificateKeyFile="certificate.key"
            SSLCertificateChainFile="chain.crt" 
SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL"
     />

The issue here is tomcat is only binding to the IPv4 (0.0.0.0) address, 
and not binding to the IPv6 on the box.  If I add a
address="0.0.0.0"

and then duplicate this connector and replace the address option with:
address="::"

It binds to both IPv4 and IPv6 as expected. However, tomcat will no 
longer stop when you try to stop the windows service. I have to kill the 
process to get it to stop.  If I only have one or the other of the two 
connectors present, it will stop as expected.

Also of note, if I used:
protocol="org.apache.coyote.http11.Http11Protocol"

instead, it would bind to both IPv4 and IPv6 as expected when no address 
option is specified (but that method won't take some of the options we 
want to have set).

Issue #2

We would like to have it use:
   SSLProtocol="TLSv1"
but when you have just that as the option, it will only talk TLS v1.0, 
not TLSv1.1 or TLSv1.2. Looking briefly at the source code, it looks 
like you only have the option to specify a combination of TLSv1, SSLv2 
and SSLv3. If we use the option as specified above (TLSv1+SSLv3), it 
will do all three TLS versions and SSLv3.

Is there a way to get it to do TLS and all three versions of it? Also, 
with SSLv2 not specified, it will still accept that protocol, but in the 
end will fail because no encryption methods for it are enabled. Is there 
a way to have it refuse to talk SSLv2 from the start?

Thanks
James

Re: Tomcat 6 APR SSL Issue

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/14/14 2:16 PM, James Drews wrote:
> Hi, I have a question that may be a bug, or I'm just not doing
> something right (I'll happily believe either).
> 
> Configuration: Tomcat 6.0 running on Windows Server The
> tcnative-1.dll is the latest from the download site 
> http://tomcat.apache.org/download-native.cgi
> 
> Item #1
> 
> In our tomcat server.xml config, we have:
> 
> <Listener
> className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" /> <Connector port="443" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxHttpHeaderSize="8192" scheme="https" secure="true" 
> SSLEnabled="true" SSLDisableCompression="true" 
> SSLHonorCipherOrder="true" SSLProtocol="TLSv1+SSLv3" 
> SSLCertificateFile="certificate.crt" 
> SSLCertificateKeyFile="certificate.key" 
> SSLCertificateChainFile="chain.crt" 
> SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL"
>
>  />
> 
> The issue here is tomcat is only binding to the IPv4 (0.0.0.0)
> address, and not binding to the IPv6 on the box.  If I add a 
> address="0.0.0.0"
> 
> and then duplicate this connector and replace the address option
> with: address="::"
> 
> It binds to both IPv4 and IPv6 as expected. However, tomcat will
> no longer stop when you try to stop the windows service. I have to
> kill the process to get it to stop.  If I only have one or the
> other of the two connectors present, it will stop as expected.
> 
> Also of note, if I used: 
> protocol="org.apache.coyote.http11.Http11Protocol"
> 
> instead, it would bind to both IPv4 and IPv6 as expected when no
> address option is specified (but that method won't take some of the
> options we want to have set).

Check the archives; I seem to recall some oddities when it comes to
APR's use of network interfaces.

> Issue #2
> 
> We would like to have it use: SSLProtocol="TLSv1" but when you have
> just that as the option, it will only talk TLS v1.0, not TLSv1.1 or
> TLSv1.2. Looking briefly at the source code, it looks like you only
> have the option to specify a combination of TLSv1, SSLv2 and SSLv3.
> If we use the option as specified above (TLSv1+SSLv3), it will do
> all three TLS versions and SSLv3.
> 
> Is there a way to get it to do TLS and all three versions of it?

https://issues.apache.org/bugzilla/show_bug.cgi?id=53952

Unfortunately, TLSv1.1 and TLSv1.2 will not be supported until you
have both tcnative 1.1.32 and a Tomcat version that supports the
changes. There is not yet a patch for Tomcat 6 for this, while patches
have been committed for Tomcat 7 and Tomcat 8.

I'm working on a Tomcat 6 patch.

> Also, with SSLv2 not specified, it will still accept that
> protocol, but in the end will fail because no encryption methods
> for it are enabled. Is there a way to have it refuse to talk SSLv2
> from the start?

Usually, SSLv2Hello is used to allow a SSLv2 connection to be
established. This is generally safe (well, until we all decided that
SSLv3 was rubbish).

Once the above updates are released, you will be able to select the
exact set of protocols you want. You should be able to specify
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" and get all the TLSs and no SSLs.
(Also, the definition for "all" has been updated to be "all TLSs and
no SSLs" so you could use that, too).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQVBqAAoJEBzwKT+lPKRY58oP+wU7d3y4971cxC1Bks67Qjo6
YVlX474OI0t6tICff/WsdradBXxSUfqzO0TnNKnc8VttA1n1EEdoevK+KE+x6gO0
n/XRnAwxQvP7gtHfDGHe52zU090eh92slZXVlJcBe6hAX/uEqfJqD+BExz8M6rtk
oWgam8d1EPMi+sNXImk+OQUMoKlljqRSDduyRwrQc9AJRn7r0bQQffU9k/WlFR19
8JoNyblq/B2NEiGChQ8s+xMyRyzCiB82oIiRPlXZoh2OR10yhRy6lG+VRuw+akvE
Qd79fRIqIoODf2Xp5XpS14ANxLjCxB1Eti49bDa6ydIIWH2QcIiS9DPIvkClVS2s
PYVld7kEWrt2z/96/D0lQWt9pnBzOA2TOGGbJvlXtWEvS8MQk5iHfwmJuCa9b/Kf
8mqDAUvIHx/W1NcSS4mT3Tv5vqFCQbhVwmo1doVdjJr+Vzor7EZpZH6oIhEdFvZE
Rxu0HZxt/w0Qs3ZnKdCrS3+3ssvyhGUtdPYAHBSHoh+gocida+UJia4XLkeY9CyT
bCIftTasPia2UJk+agaDi/HYq4LbzTLy9X6iCoDkkX9Kcms2wl0BEuomRY4BTZDW
gtNCfUtCw3Sd0h8f7JakIY7m3Up6cYlIN1Q4vjD2+mn+AGcijgtVg0T3mWalqOY/
dzyFPvA8MkgFVKUnpeFR
=u7P8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org