You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2015/02/17 22:34:41 UTC
Re-enabling SSLv3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
There have been some questions lately about how to re-enable SSLv3 on
Tomcat and I just went through the trouble of trying to get it to work
in my own environment for some protocol testing.
While there were a few bugs fixed over the past few months in Tomcat
vis-a-vis configuring which protocols should be enabled, etc., those
appear to be completely fixed.
But, when I first tried, I could not get Tomcat to use SSLv3. I tried
a few silly changes to configuration and nothing helped. It seems
Tomcat isn't the problem.
It turns out that Oracle has disabled SSLv3 in both Java 7 (in 7u75)
and Java 8 (in 8u31), and you have to do some work to re-enable it.
Java 7 release notes containing an explanation:
http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html
Java 8 release notes containing an explanation:
http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
The tl;dr is that if you create a java.security.properties file, you
can override the system configuration of this setting. First, create a
file that contains only the following:
=== CUT ===
jdk.tls.disabledAlgorithms=true
=== CUT ===
Now, add this to your CATALINA_OPTS (or other JVM invocation):
-Djava.security.properties=/path/to/above/file
Now, you'll be able to use SSLv3 again. But, of course, you shouldn't
be using it, so why would you?
Also remember that the disabling of SSLv3 is for both server and
client sockets, so if you want to connect to a server using SSLv3,
you'll need to use the same trick to allow the /client/ to use SSLv3
as well as the server.
This is the part that confused me, because, since I was using a Java
client, my observations were that neither the JSSE-based nor the
OpenSSL-based connectors would "work" with SSLv3. The problem of
course was the client. Once I got that sorted, I was able to connect
to both.
To drive-home the point: SSLv3 works without any of the foolishness
above if you are using the APR connector, because OpenSSL hasn't
disabled SSLv3 in general. Your OpenSSL provider (Linux distribution,
etc.) may determine that SSLv3 should be disabled, but that's another
matter.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU47PxAAoJEBzwKT+lPKRYD0QP/RSb8dcULSPGXKfAdLdaDcjP
ZG7Cc336fMt56N0+87DSS7U1BxeDBDNNq16Yrbmp9lQc2npmkyddkVhIXWVYr/o4
pq6NB0eIpZC1kly+uBdqS0PdSe8QdxNjz+Lb4HTkrxwt7gtuDrZ6mzb1Ll50jPds
QdSCu5ffnrEPngQE7FPIpkuASzLqSiJpfsZAyByTOtdkZUw1jM/sN1CV+GmlxTbl
DHPxhp0n9EQvrsk7e5+ID2g5YOIlFHMMvP58d6CPHbtAZJubMg8arnuhYUGa7Jn2
dfn6po8azlHq4G63SRFGzfAQ7F/yFUEZ5kOfSbQirUm03yiSsjVvM3pJ0z52opuC
QVGA/N9HQ+gSF8m9VmINOPj3J1hXV5zqD6SAaUndBWq5KH+22CLBPsqLZkevf/H8
3F2TemW+Wg06hP3cyH3XovPV6Wu5f5jp9OXqZseZCWZT5nJFWqmFoyRC89zQFzC+
AfhM3WyMhpVaziBCCP2RZC1HL6b9iiEHjbCl269rpTq4ZK+CNGMKL0lzvltgHqwX
kknsUWalPV4T6TJ+dgbL6+/HeDO1PMQO/16sjxNQvgKboRHgYCy5Cm5zB747HJSZ
tl8kBdRs0/pUmGtVVtuWl6DG2H8TrmeaumZX0OLkIeaZUhiHKsPZTHc0KH6KkCD9
8NGlmr14pSW0ARa7VkxO
=RTpS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by Rainer Jung <ra...@kippdata.de>.
Am 18.02.2015 um 10:11 schrieb Mark Thomas:
> On 18/02/2015 09:04, André Warnier wrote:
>
> <snip/>
>
>> Also, while we are at it : this whole SSL area is - I believe -
>> hopelessly confusing for anyone (aka me) who does not spend a
>> considerable amount of time dealing with that kind of setup.
>> Do you know of any reasonably short and concise introductory article on
>> the www ? Something which really explains the basics (and the why's) of
>> what you need to set up a HTTPS webserver, be it Tomcat or something else ?
>> I believe that some kind of "wrap-up" article in the FAQ would really
>> help, and you seem to be our resident expert here.
>
> Maybe this?
>
> https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
>
> You can download a PDF of the first chapter that explains a lot of the
> basics for free.
I'm in the middle of reading the whole book and it is really a good
read. But there's quite a lot of terminology to get used to for
beginners, so probably not easy to write a short but useful SSL primer
in the Tomcat wiki.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 2/18/15 6:06 AM, André Warnier wrote:
> Mark Thomas wrote:
>> On 18/02/2015 09:11, Mark Thomas wrote:
>>> On 18/02/2015 09:04, André Warnier wrote:
>>>
>>> <snip/>
>>>
>>>> Also, while we are at it : this whole SSL area is - I believe
>>>> - hopelessly confusing for anyone (aka me) who does not spend
>>>> a considerable amount of time dealing with that kind of
>>>> setup. Do you know of any reasonably short and concise
>>>> introductory article on the www ? Something which really
>>>> explains the basics (and the why's) of what you need to set
>>>> up a HTTPS webserver, be it Tomcat or something else ? I
>>>> believe that some kind of "wrap-up" article in the FAQ would
>>>> really help, and you seem to be our resident expert here.
>>> Maybe this?
>>>
>>> https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
>>>
>>> You can download a PDF of the first chapter that explains a lot
>>> of the basics for free.
>>
>> I forgot this:
>> http://people.apache.org/~markt/presentations/2014-04-09-Tomcat-SSL.pdf
>>
>
>>
> I quickly went through these two documents, and they are really a
> good base. But I believe that a useful addition/summary to those,
> would be to use the basic series of steps as given in
> [http://marc.info/?l=tomcat-user&m=106692394104667&w=2] (possibly
> with corrections), and make a table like : (hoping this does not
> get terminally garbled by wrapping)
I'm not sure it makes a whole lot of sense for Tomcat to babysit yet
another guide to SSL/TLS. I think anything longer than maybe a tl;dr
paragraph with references to other documentation is a waste of time
for the community, since these things are much-better documented
elsewhere, and maintaining our own description with caveats, etc. will
be exhausting.
> Step short description Used item/attribute
> with Java Connector with APR Connector
>
> 1 browser sends hello client: list of algorithms
> client: list of algorithms attribute: ??? attribute: ??? file: ???
> file: ???
>
> 2 server sends server: certificate
> server: certificate certificate and attributes:
> attributes: nonce - keystoreType ?
> - SSLCertificateFile ? - keystoreFile ? -
> SSLCertificateKeyFile ? file: xxx.p12 (1) file:
> xxx-cert.pem (2)
>
> etc...
>
> (1) when/how does this get generated ? (2) when/how does this get
> generated ?
>
>
>
> see what I mean ?
>
> I'd offer to create that table, but I am such a nincompoop
> regarding SSL/TLS, that I cannot even tell if the list of steps is
> correct or not.
Why don't you take a stab at it... you'll learn a lot by creating it
and asking lots of questions to fill-in your details.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJU5KffAAoJEBzwKT+lPKRY3mgP/ixMrsrF++K/7j4AFRpB5WaH
lL28maLaWKMnJSuV3snQ/lAchgHo41bpY0phXbSFts5IK4R61jxfF3oIv/sDVIpM
h+RXPTpo4fawMD02HOiPr0QMLLpCSr41j0MFGM4SsY/esVXRctadWor0FiPQ971/
ONOGpN5yqiBYW8l4aLbacw8kgZ8NVVkDtu54f3SRI50kkjt+zvvfbFj5EGDwAc4L
rFLX7KAl17thYt7oc79+f6XTIdA3iUq0S5FosUBIEIyxsuY22P2WVQGBFvR9OJfN
s8Vqqx3rILSbM8dqSngZJNuTtgrP1IxAtOLl1t325dzaNaVr18Q/t7nk2dlvDhha
QyWaD7CQ/HHftI3BRHinReRvwvydGNtIHwo2qRra1VcoEmQk39472Y4907tRXs3u
LkB8or/y4awltwvm0ZVVaHiUiGhbiRtcYsIebqA414UGPPSg2GYaLQqRAXVeTMBJ
W+VrnGEvICe9OXWXxgWZ/TmBoU6ox4ZkOy8i6pSTR/A/ny/sZmzFUYRuZ/DeJ3b6
70klXvJHyZPTKevPD2howSzguuvb5IdD+ghYeqXilHrt8ep3Jo8Oaxhgfd061g0R
GcbHzAi0DdMUjZI3aY51r326wJB/wvbQcAZ0anwv65oEtLo9xsT0tWvoA05B91S3
Qhq4dhpd+/uoSBrJjg13
=CpUy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 18/02/2015 09:11, Mark Thomas wrote:
>> On 18/02/2015 09:04, André Warnier wrote:
>>
>> <snip/>
>>
>>> Also, while we are at it : this whole SSL area is - I believe -
>>> hopelessly confusing for anyone (aka me) who does not spend a
>>> considerable amount of time dealing with that kind of setup.
>>> Do you know of any reasonably short and concise introductory article on
>>> the www ? Something which really explains the basics (and the why's) of
>>> what you need to set up a HTTPS webserver, be it Tomcat or something else ?
>>> I believe that some kind of "wrap-up" article in the FAQ would really
>>> help, and you seem to be our resident expert here.
>> Maybe this?
>>
>> https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
>>
>> You can download a PDF of the first chapter that explains a lot of the
>> basics for free.
>
> I forgot this:
> http://people.apache.org/~markt/presentations/2014-04-09-Tomcat-SSL.pdf
>
I quickly went through these two documents, and they are really a good base.
But I believe that a useful addition/summary to those, would be to use the basic series of
steps as given in [http://marc.info/?l=tomcat-user&m=106692394104667&w=2] (possibly with
corrections), and make a table like :
(hoping this does not get terminally garbled by wrapping)
Step short description Used item/attribute
with Java Connector with APR Connector
1 browser sends hello client: list of algorithms client: list of algorithms
attribute: ??? attribute: ???
file: ??? file: ???
2 server sends server: certificate server: certificate
certificate and attributes: attributes:
nonce - keystoreType ? - SSLCertificateFile ?
- keystoreFile ? - SSLCertificateKeyFile ?
file: xxx.p12 (1) file: xxx-cert.pem (2)
etc...
(1) when/how does this get generated ?
(2) when/how does this get generated ?
see what I mean ?
I'd offer to create that table, but I am such a nincompoop regarding SSL/TLS, that I
cannot even tell if the list of steps is correct or not.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2015 09:11, Mark Thomas wrote:
> On 18/02/2015 09:04, André Warnier wrote:
>
> <snip/>
>
>> Also, while we are at it : this whole SSL area is - I believe -
>> hopelessly confusing for anyone (aka me) who does not spend a
>> considerable amount of time dealing with that kind of setup.
>> Do you know of any reasonably short and concise introductory article on
>> the www ? Something which really explains the basics (and the why's) of
>> what you need to set up a HTTPS webserver, be it Tomcat or something else ?
>> I believe that some kind of "wrap-up" article in the FAQ would really
>> help, and you seem to be our resident expert here.
>
> Maybe this?
>
> https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
>
> You can download a PDF of the first chapter that explains a lot of the
> basics for free.
I forgot this:
http://people.apache.org/~markt/presentations/2014-04-09-Tomcat-SSL.pdf
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by Mark Thomas <ma...@apache.org>.
On 18/02/2015 09:04, André Warnier wrote:
<snip/>
> Also, while we are at it : this whole SSL area is - I believe -
> hopelessly confusing for anyone (aka me) who does not spend a
> considerable amount of time dealing with that kind of setup.
> Do you know of any reasonably short and concise introductory article on
> the www ? Something which really explains the basics (and the why's) of
> what you need to set up a HTTPS webserver, be it Tomcat or something else ?
> I believe that some kind of "wrap-up" article in the FAQ would really
> help, and you seem to be our resident expert here.
Maybe this?
https://www.feistyduck.com/books/bulletproof-ssl-and-tls/
You can download a PDF of the first chapter that explains a lot of the
basics for free.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re-enabling SSLv3
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> There have been some questions lately about how to re-enable SSLv3 on
> Tomcat and I just went through the trouble of trying to get it to work
> in my own environment for some protocol testing.
>
> While there were a few bugs fixed over the past few months in Tomcat
> vis-a-vis configuring which protocols should be enabled, etc., those
> appear to be completely fixed.
>
> But, when I first tried, I could not get Tomcat to use SSLv3. I tried
> a few silly changes to configuration and nothing helped. It seems
> Tomcat isn't the problem.
>
> It turns out that Oracle has disabled SSLv3 in both Java 7 (in 7u75)
> and Java 8 (in 8u31), and you have to do some work to re-enable it.
>
> Java 7 release notes containing an explanation:
> http://www.oracle.com/technetwork/java/javase/7u76-relnotes-2389087.html
>
> Java 8 release notes containing an explanation:
> http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html
>
> The tl;dr is that if you create a java.security.properties file, you
> can override the system configuration of this setting. First, create a
> file that contains only the following:
>
> === CUT ===
> jdk.tls.disabledAlgorithms=true
> === CUT ===
>
> Now, add this to your CATALINA_OPTS (or other JVM invocation):
>
> -Djava.security.properties=/path/to/above/file
>
> Now, you'll be able to use SSLv3 again. But, of course, you shouldn't
> be using it, so why would you?
>
> Also remember that the disabling of SSLv3 is for both server and
> client sockets, so if you want to connect to a server using SSLv3,
> you'll need to use the same trick to allow the /client/ to use SSLv3
> as well as the server.
>
> This is the part that confused me, because, since I was using a Java
> client, my observations were that neither the JSSE-based nor the
> OpenSSL-based connectors would "work" with SSLv3. The problem of
> course was the client. Once I got that sorted, I was able to connect
> to both.
>
> To drive-home the point: SSLv3 works without any of the foolishness
> above if you are using the APR connector, because OpenSSL hasn't
> disabled SSLv3 in general. Your OpenSSL provider (Linux distribution,
> etc.) may determine that SSLv3 should be disabled, but that's another
> matter.
>
> Hope that helps,
> - -chris
I think that it will help a lot, particularly in terms of reducing the list traffic
related to SSL issues.
Could you make this into a FAQ article ? (or an additional note to an existing FAQ)
Also, while we are at it : this whole SSL area is - I believe - hopelessly confusing for
anyone (aka me) who does not spend a considerable amount of time dealing with that kind of
setup.
Do you know of any reasonably short and concise introductory article on the www ?
Something which really explains the basics (and the why's) of what you need to set up a
HTTPS webserver, be it Tomcat or something else ?
I believe that some kind of "wrap-up" article in the FAQ would really help, and you seem
to be our resident expert here.
This (mentioned in Tomcat Wiki, "How To" section, SSL) is a start, but maybe a little more
"fleshed-out" would be good : http://marc.info/?l=tomcat-user&m=106692394104667&w=2
When I look at what's there now (for example here :
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support), there is a whole
bunch of information, but it constantly refers to other documents for more information, to
the point where it is not possible to even form some kind of global picture in one's mind.
Maybe that is inherent to SSL in general, but I'd just like to get a picture of how all
these TLS, ciphers, protocols, keys, trust stores etc etc all somehow fit together..
Like for example using the marc.info article above as a starting point, at which "step"
does a "protocol" or a "cipher" or a "trust-store" play a role.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org