You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by jo...@wellsfargo.com.INVALID on 2023/04/20 14:12:10 UTC
OT: Tomcat and TLS
Hiya,
Just trying to see if I'm thinking straight.
Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed mode), is it best to have a TLS 1.2 connector and a separate TLA 1.3 connector on a different port, or just go to a TLS 1.3 connector and hope for backward compat?
Wanting to follow best practice. :)
Thank you for your time.
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com<ma...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: OT: Tomcat and TLS
Posted by jo...@wellsfargo.com.INVALID.
Thank you!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Torsten Krah <kr...@gmail.com>
> Sent: Thursday, April 20, 2023 1:18 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> AddOn, if you use the native TLS implementation with openssl you can't
> configure the TLS 1.3 ciphers which should be used with the ciphers attribute,
> you will get all the ones which are enabled by default for TLS
> 1.3 in openssl.
>
> Tomcat does still not support to configure them, you can look through the
> archives, I made a question / thread about that, last year afaik, maybe older.
>
>
> <jo...@wellsfargo.com.invalid> schrieb am Do., 20. Apr. 2023,
> 19:03:
>
> > Thank You!!!
> >
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -----Original Message-----
> > > From: Kevin Huntly <km...@gmail.com>
> > > Sent: Thursday, April 20, 2023 11:25 AM
> > > To: Tomcat Users List <us...@tomcat.apache.org>
> > > Subject: Re: OT: Tomcat and TLS
> > >
> > > This is what I have:
> > >
> > > <Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
> > > address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> > > maxThreads="150"
> > > minSpareThreads="25" enableLookups="false" acceptCount="100"
> > > connectionTimeout="20000" disableUploadTimeout="true"
> > > compression="on" compressionMinSize="2048"
> > > noCompressionUserAgents="gozilla, traviata" scheme="https"
> > > secure="true"
> > > SSLEnabled="true"
> > > defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
> > > proxyName="esolutions.caspersbox.com" proxyPort="443">
> > > <UpgradeProtocol
> > > className="org.apache.coyote.http2.Http2Protocol" />
> > > <SSLHostConfig hostName="appsrv.lan"
> > > protocols="TLSv1.2,TLSv1.3">
> > > <Certificate
> > > certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12"
> type="RSA"
> > > certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
> > > </SSLHostConfig>
> > > </Connector>
> > > ________________________________________________
> > >
> > > Kevin Huntly
> > > Email: kmhuntly@gmail.com
> > > Cell: 716/424-3311
> > > ________________________________________________
> > >
> > > -----BEGIN GEEK CODE BLOCK-----
> > > Version: 1.0
> > > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> > > G++ e(+) h--- r+++ y+++*
> > > ------END GEEK CODE BLOCK------
> > >
> > >
> > > On Thu, Apr 20, 2023 at 12:17 PM
> > > <jo...@wellsfargo.com.invalid>
> > > wrote:
> > >
> > > > Is this actually Kosher?
> > > >
> > > > Open your Tomcat server
> > > > Open your server.xml file in tomcat Add the connector with TLS
> > > > protocol as below
> > > > <Connector port="8453"
> > > >
> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > > maxThreads="150"
> > > > maxHttpHeaderSize="16384"
> > > > compression="on"
> > > > scheme="https"
> > > > SSLEnabled="true"
> > > > secure="true"
> > > > defaultSSLHostConfigName="test.test">
> > > > <UpgradeProtocol
> > > > className="org.apache.coyote.http2.Http2Protocol" />
> > > > <SSLHostConfig
> > > > hostName="test.test"
> > > > protocols="TLSv1.2"
> > > >
> > > >
> > > >
> > >
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
> > > TH_AES_25
> > > > 6_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > > >
> > > >
> > >
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256
> > > _CCM,TLS_E
> > > >
> > >
> CDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
> > > >
> > > >
> > >
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_
> > > GCM_SHA256
> > > > ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > > >
> > > >
> > >
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES
> > > _128_GCM_S
> > > > HA256,TLS_DHE_RSA_WITH_AES_128_CCM,
> > > >
> > > >
> > >
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CC
> > > M_8,TLS_EC
> > > > DHE_ECDSA_WITH_AES_128_CCM_8,
> > > >
> > > >
> > >
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH
> > > _CHACHA20_
> > > > POLY1305_SHA256,
> > > >
> > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > > > <Certificate
> > > > certificateKeystoreFile="<path to certificate
> > > > keystore (JKS)>"
> > > > certificateKeystorePassword ="${keystore.pass}"
> > > > certificateKeyPassword="${keystore.pass}"
> > > > certificateKeyAlias="<ALIAS>"
> > > > />
> > > > </SSLHostConfig>
> > > > </Connector> Now, restart your Tomcat.
> > > >
> > > > If so, do we just add the TLS 1.3 ciphers to the list?
> > > >
> > > > Dream * Excel * Explore * Inspire
> > > > Jon McAlexander
> > > > Senior Infrastructure Engineer
> > > > Asst. Vice President
> > > > He/His
> > > >
> > > > Middleware Product Engineering
> > > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > > >
> > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > MAC: F4469-010
> > > > Tel 515-988-2508 | Cell 515-988-2508
> > > >
> > > > jonmcalexander@wellsfargo.com
> > > > This message may contain confidential and/or privileged information.
> > > > If you are not the addressee or authorized to receive this for the
> > > > addressee, you must not use, copy, disclose, or take any action
> > > > based on this message or any information herein. If you have
> > > > received this message in error, please advise the sender
> > > > immediately by reply e-mail and delete this message. Thank you for
> your cooperation.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Christopher Schultz <ch...@christopherschultz.net>
> > > > > Sent: Thursday, April 20, 2023 10:27 AM
> > > > > To: Tomcat Users List <us...@tomcat.apache.org>
> > > > > Subject: Re: OT: Tomcat and TLS
> > > > >
> > > > > Jon,
> > > > >
> > > > > On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > > > > > Since TLS 1.2 and 1.3 don't/can't play well with each other
> > > > > > (no mixed
> > > > > > mode)
> > > > > What do you mean by this?
> > > > >
> > > > > > [...] is it best to have a TLS 1.2 connector and a separate
> > > > > > TLA
> > > > > > 1.3 connector on a different port, or just go to a TLS 1.3
> > > > > > connector and hope for backward compat?
> > > > > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and
> > > > > server should negotiate the highest-supported protocol version
> > > > > shared
> > > between the two.
> > > > >
> > > > > -chris
> > > > >
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
Re: OT: Tomcat and TLS
Posted by Torsten Krah <kr...@gmail.com>.
AddOn, if you use the native TLS implementation with openssl you can't
configure the TLS 1.3 ciphers which should be used with the ciphers
attribute, you will get all the ones which are enabled by default for TLS
1.3 in openssl.
Tomcat does still not support to configure them, you can look through the
archives, I made a question / thread about that, last year afaik, maybe
older.
<jo...@wellsfargo.com.invalid> schrieb am Do., 20. Apr. 2023,
19:03:
> Thank You!!!
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -----Original Message-----
> > From: Kevin Huntly <km...@gmail.com>
> > Sent: Thursday, April 20, 2023 11:25 AM
> > To: Tomcat Users List <us...@tomcat.apache.org>
> > Subject: Re: OT: Tomcat and TLS
> >
> > This is what I have:
> >
> > <Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
> > address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> > maxThreads="150"
> > minSpareThreads="25" enableLookups="false" acceptCount="100"
> > connectionTimeout="20000" disableUploadTimeout="true"
> > compression="on" compressionMinSize="2048"
> > noCompressionUserAgents="gozilla, traviata" scheme="https"
> > secure="true"
> > SSLEnabled="true"
> > defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
> > proxyName="esolutions.caspersbox.com" proxyPort="443">
> > <UpgradeProtocol
> > className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig hostName="appsrv.lan"
> > protocols="TLSv1.2,TLSv1.3">
> > <Certificate
> > certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12" type="RSA"
> > certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
> > </SSLHostConfig>
> > </Connector>
> > ________________________________________________
> >
> > Kevin Huntly
> > Email: kmhuntly@gmail.com
> > Cell: 716/424-3311
> > ________________________________________________
> >
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 1.0
> > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> > G++ e(+) h--- r+++ y+++*
> > ------END GEEK CODE BLOCK------
> >
> >
> > On Thu, Apr 20, 2023 at 12:17 PM <jo...@wellsfargo.com.invalid>
> > wrote:
> >
> > > Is this actually Kosher?
> > >
> > > Open your Tomcat server
> > > Open your server.xml file in tomcat
> > > Add the connector with TLS protocol as below
> > > <Connector port="8453"
> > >
> > > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > > maxThreads="150"
> > > maxHttpHeaderSize="16384"
> > > compression="on"
> > > scheme="https"
> > > SSLEnabled="true"
> > > secure="true"
> > > defaultSSLHostConfigName="test.test">
> > > <UpgradeProtocol
> > > className="org.apache.coyote.http2.Http2Protocol" />
> > > <SSLHostConfig
> > > hostName="test.test"
> > > protocols="TLSv1.2"
> > >
> > >
> > >
> > ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
> > TH_AES_25
> > > 6_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > >
> > >
> > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256
> > _CCM,TLS_E
> > >
> > CDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
> > >
> > >
> > TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_
> > GCM_SHA256
> > > ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> > >
> > >
> > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES
> > _128_GCM_S
> > > HA256,TLS_DHE_RSA_WITH_AES_128_CCM,
> > >
> > >
> > TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CC
> > M_8,TLS_EC
> > > DHE_ECDSA_WITH_AES_128_CCM_8,
> > >
> > >
> > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH
> > _CHACHA20_
> > > POLY1305_SHA256,
> > >
> > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > > <Certificate
> > > certificateKeystoreFile="<path to certificate keystore
> > > (JKS)>"
> > > certificateKeystorePassword ="${keystore.pass}"
> > > certificateKeyPassword="${keystore.pass}"
> > > certificateKeyAlias="<ALIAS>"
> > > />
> > > </SSLHostConfig>
> > > </Connector> Now, restart your Tomcat.
> > >
> > > If so, do we just add the TLS 1.3 ciphers to the list?
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexander@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you are not the addressee or authorized to receive this for the
> > > addressee, you must not use, copy, disclose, or take any action based
> > > on this message or any information herein. If you have received this
> > > message in error, please advise the sender immediately by reply e-mail
> > > and delete this message. Thank you for your cooperation.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Christopher Schultz <ch...@christopherschultz.net>
> > > > Sent: Thursday, April 20, 2023 10:27 AM
> > > > To: Tomcat Users List <us...@tomcat.apache.org>
> > > > Subject: Re: OT: Tomcat and TLS
> > > >
> > > > Jon,
> > > >
> > > > On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > > > > Since TLS 1.2 and 1.3 don't/can't play well with each other (no
> > > > > mixed
> > > > > mode)
> > > > What do you mean by this?
> > > >
> > > > > [...] is it best to have a TLS 1.2 connector and a separate TLA
> > > > > 1.3 connector on a different port, or just go to a TLS 1.3
> > > > > connector and hope for backward compat?
> > > > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server
> > > > should negotiate the highest-supported protocol version shared
> > between the two.
> > > >
> > > > -chris
> > > >
> > > > --------------------------------------------------------------------
> > > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: OT: Tomcat and TLS
Posted by jo...@wellsfargo.com.INVALID.
Thank You!!!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Kevin Huntly <km...@gmail.com>
> Sent: Thursday, April 20, 2023 11:25 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> This is what I have:
>
> <Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
> address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25" enableLookups="false" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true"
> compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata" scheme="https"
> secure="true"
> SSLEnabled="true"
> defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
> proxyName="esolutions.caspersbox.com" proxyPort="443">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig hostName="appsrv.lan"
> protocols="TLSv1.2,TLSv1.3">
> <Certificate
> certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12" type="RSA"
> certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
> </SSLHostConfig>
> </Connector>
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> Cell: 716/424-3311
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
>
> On Thu, Apr 20, 2023 at 12:17 PM <jo...@wellsfargo.com.invalid>
> wrote:
>
> > Is this actually Kosher?
> >
> > Open your Tomcat server
> > Open your server.xml file in tomcat
> > Add the connector with TLS protocol as below
> > <Connector port="8453"
> >
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150"
> > maxHttpHeaderSize="16384"
> > compression="on"
> > scheme="https"
> > SSLEnabled="true"
> > secure="true"
> > defaultSSLHostConfigName="test.test">
> > <UpgradeProtocol
> > className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig
> > hostName="test.test"
> > protocols="TLSv1.2"
> >
> >
> >
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI
> TH_AES_25
> > 6_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> >
> >
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256
> _CCM,TLS_E
> >
> CDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_
> GCM_SHA256
> > ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES
> _128_GCM_S
> > HA256,TLS_DHE_RSA_WITH_AES_128_CCM,
> >
> >
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CC
> M_8,TLS_EC
> > DHE_ECDSA_WITH_AES_128_CCM_8,
> >
> >
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH
> _CHACHA20_
> > POLY1305_SHA256,
> >
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> > <Certificate
> > certificateKeystoreFile="<path to certificate keystore
> > (JKS)>"
> > certificateKeystorePassword ="${keystore.pass}"
> > certificateKeyPassword="${keystore.pass}"
> > certificateKeyAlias="<ALIAS>"
> > />
> > </SSLHostConfig>
> > </Connector> Now, restart your Tomcat.
> >
> > If so, do we just add the TLS 1.3 ciphers to the list?
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexander@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >
> > > -----Original Message-----
> > > From: Christopher Schultz <ch...@christopherschultz.net>
> > > Sent: Thursday, April 20, 2023 10:27 AM
> > > To: Tomcat Users List <us...@tomcat.apache.org>
> > > Subject: Re: OT: Tomcat and TLS
> > >
> > > Jon,
> > >
> > > On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > > > Since TLS 1.2 and 1.3 don't/can't play well with each other (no
> > > > mixed
> > > > mode)
> > > What do you mean by this?
> > >
> > > > [...] is it best to have a TLS 1.2 connector and a separate TLA
> > > > 1.3 connector on a different port, or just go to a TLS 1.3
> > > > connector and hope for backward compat?
> > > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server
> > > should negotiate the highest-supported protocol version shared
> between the two.
> > >
> > > -chris
> > >
> > > --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OT: Tomcat and TLS
Posted by Kevin Huntly <km...@gmail.com>.
This is what I have:
<Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
address="0.0.0.0" port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" enableLookups="false" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata" scheme="https" secure="true"
SSLEnabled="true"
defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
proxyName="esolutions.caspersbox.com" proxyPort="443">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="appsrv.lan"
protocols="TLSv1.2,TLSv1.3">
<Certificate
certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12" type="RSA"
certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
</SSLHostConfig>
</Connector>
________________________________________________
Kevin Huntly
Email: kmhuntly@gmail.com
Cell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
On Thu, Apr 20, 2023 at 12:17 PM <jo...@wellsfargo.com.invalid>
wrote:
> Is this actually Kosher?
>
> Open your Tomcat server
> Open your server.xml file in tomcat
> Add the connector with TLS protocol as below
> <Connector port="8453"
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> maxHttpHeaderSize="16384"
> compression="on"
> scheme="https"
> SSLEnabled="true"
> secure="true"
> defaultSSLHostConfigName="test.test">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig
> hostName="test.test"
> protocols="TLSv1.2"
>
>
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
>
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
>
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> <Certificate
> certificateKeystoreFile="<path to certificate keystore
> (JKS)>"
> certificateKeystorePassword ="${keystore.pass}"
> certificateKeyPassword="${keystore.pass}"
> certificateKeyAlias="<ALIAS>"
> />
> </SSLHostConfig>
> </Connector> Now, restart your Tomcat.
>
> If so, do we just add the TLS 1.3 ciphers to the list?
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexander@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -----Original Message-----
> > From: Christopher Schultz <ch...@christopherschultz.net>
> > Sent: Thursday, April 20, 2023 10:27 AM
> > To: Tomcat Users List <us...@tomcat.apache.org>
> > Subject: Re: OT: Tomcat and TLS
> >
> > Jon,
> >
> > On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > > Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> > > mode)
> > What do you mean by this?
> >
> > > [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> > > connector on a different port, or just go to a TLS 1.3 connector and
> > > hope for backward compat?
> > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server should
> > negotiate the highest-supported protocol version shared between the two.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: OT: Tomcat and TLS
Posted by jo...@wellsfargo.com.INVALID.
Is this actually Kosher?
Open your Tomcat server
Open your server.xml file in tomcat
Add the connector with TLS protocol as below
<Connector port="8453"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
maxHttpHeaderSize="16384"
compression="on"
scheme="https"
SSLEnabled="true"
secure="true"
defaultSSLHostConfigName="test.test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig
hostName="test.test"
protocols="TLSv1.2"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
<Certificate
certificateKeystoreFile="<path to certificate keystore (JKS)>"
certificateKeystorePassword ="${keystore.pass}"
certificateKeyPassword="${keystore.pass}"
certificateKeyAlias="<ALIAS>"
/>
</SSLHostConfig>
</Connector> Now, restart your Tomcat.
If so, do we just add the TLS 1.3 ciphers to the list?
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, April 20, 2023 10:27 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> Jon,
>
> On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> > mode)
> What do you mean by this?
>
> > [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> > connector on a different port, or just go to a TLS 1.3 connector and
> > hope for backward compat?
> TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server should
> negotiate the highest-supported protocol version shared between the two.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
RE: OT: Tomcat and TLS
Posted by jo...@wellsfargo.com.INVALID.
Hi Christopher,
I mean, for an SSL/TLS Connector, since you can't put TLS1.2 and TLS1.3 in the same connector, is it best to create separate connectors for each protocol, OR just go with TLS 1.3?
Thanks,
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, April 20, 2023 10:27 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> Jon,
>
> On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> > Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> > mode)
> What do you mean by this?
>
> > [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> > connector on a different port, or just go to a TLS 1.3 connector and
> > hope for backward compat?
> TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server should
> negotiate the highest-supported protocol version shared between the two.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OT: Tomcat and TLS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jon,
On 4/20/23 10:12, jonmcalexander@wellsfargo.com.INVALID wrote:
> Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> mode)
What do you mean by this?
> [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> connector on a different port, or just go to a TLS 1.3 connector and
> hope for backward compat?
TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server
should negotiate the highest-supported protocol version shared between
the two.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org