You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Utkarsh Dave <ut...@gmail.com> on 2014/10/30 17:38:43 UTC
Unable to disable SSL in Tomcat 6 !
Hello all,
To avoid poodle vulnerability we are trying to disable SSL v3 and all its
versions through below configuration.
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1" />
Can you please tell me if we are missing anything and how can we make this
thing work?
Thanks in advance
-Utkarsh
Re: Unable to disable SSL in Tomcat 6 !
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sun, Nov 2, 2014 at 10:09 AM, Utkarsh Dave <ut...@gmail.com> wrote:
> Is there any other way to disable SSL in Tomcat 6.
How many ways do you need? The process described in this thread
works as indicated with 6.0.37.
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
Posted by Utkarsh Dave <ut...@gmail.com>.
Hi Chris,
Yes. openssl s_client succeeds (displays no exception) when I have
sslProtocols="TLSv1"
set?
The latest releases of our project uses Tomcat 7, but to support older
releaes we may not upgrade from Tomcat 6 to 7.
Is there any other way to disable SSL in Tomcat 6.
-Utkarsh
On Sun, Nov 2, 2014 at 4:47 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Utkarsh,
>
> On 11/1/14 3:33 PM, Utkarsh Dave wrote:
> > Thanks for the response. I am testing using below steps.
> >
> >> From another machine I am running this command:
> >
> > openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
> >
> >
> > HOST is the server ip (on the server where actually ssl needs to
> > be disabled and server.xml is modified with sslProtocols="TLSv1" )
> >
> > PORT is 8443 (tomcat)
> >
> >
> > If the result of above command results in failure. It means SSL is
> > disabled.
>
> Good.
>
> > How can i know if my JVM recognizes the particular protocol
> > string.
>
> Well, if you use "TLSv1" and Tomcat doesn't emit an error message,
> then you should be good.
>
> So... does openssl s_client succeed when you have sslProtocols="TLSv1"
> set?
>
> You should really upgrade to a more recent version of Tomcat 6.0.x, or
> maybe even Tomcat 7.x or 8.x.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUVWoLAAoJEBzwKT+lPKRY8JIQAIVYkWZJ5UWOxE5uwoZYtzGJ
> LUGDUyWP4+JCmWLyXfeiNF/jR/oz2ApTdH0mWF2/Qs1mhDd4VDmgwVg4t8s1MGAd
> qXeuV3VP4E4d3CkHhfwy42LFKLt2YjUfiYfip5HNFWta71n6wBs5ey7qJ4cf3gQn
> wjg/FY3HjVlR2+flB24TZbetPJyEbhXDi9NKJv7JCXwX8TPAc6ZFEFxl8qIyE9wF
> QGu5HbZDsZWU8YuCzypbttyeklX6i3TxUlITIB4SK6DhIklXXGjaOuIRFtZrnvx/
> ATFxgj9xkdkU/9Q/eRKcU9D/lfsxs3P0+IcyXUV6iaquhQ4MZsdSS3zgbD6LuKJC
> pbf0SLcQj9+HI51vBWdwkgnlN+84vZcUk/BBBd2X+BJ+OaxuOO9HVBlyAuUUUaCc
> UlEbFLf/O5dNa3B6fVSy39NAm0/MzJtCdzNRPcrVp+1hZqiJwqxgVWAOgbwK3Osa
> UrbBCzNoFUb0NoGFyFxmgyXCWYHVWwMF/6pBG9IaxKwopU53QbDvCoUJZje7ePpw
> jL5r6s8TefRvMo6Qr6/0re7iqFedTy9YYITBXlyUdLlOIsPAu2uYn6AmDKFzSmah
> dEAAdNra2WIs0syANZvRSFW/GBuABdeAevaAvIXuNUP8UHjpEEttErv+CVKGJf2Y
> P5Tcoa5uWIPY+hAtzfbl
> =ctAo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Unable to disable SSL in Tomcat 6 !
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Utkarsh,
On 11/1/14 3:33 PM, Utkarsh Dave wrote:
> Thanks for the response. I am testing using below steps.
>
>> From another machine I am running this command:
>
> openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
>
>
> HOST is the server ip (on the server where actually ssl needs to
> be disabled and server.xml is modified with sslProtocols="TLSv1" )
>
> PORT is 8443 (tomcat)
>
>
> If the result of above command results in failure. It means SSL is
> disabled.
Good.
> How can i know if my JVM recognizes the particular protocol
> string.
Well, if you use "TLSv1" and Tomcat doesn't emit an error message,
then you should be good.
So... does openssl s_client succeed when you have sslProtocols="TLSv1"
set?
You should really upgrade to a more recent version of Tomcat 6.0.x, or
maybe even Tomcat 7.x or 8.x.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUVWoLAAoJEBzwKT+lPKRY8JIQAIVYkWZJ5UWOxE5uwoZYtzGJ
LUGDUyWP4+JCmWLyXfeiNF/jR/oz2ApTdH0mWF2/Qs1mhDd4VDmgwVg4t8s1MGAd
qXeuV3VP4E4d3CkHhfwy42LFKLt2YjUfiYfip5HNFWta71n6wBs5ey7qJ4cf3gQn
wjg/FY3HjVlR2+flB24TZbetPJyEbhXDi9NKJv7JCXwX8TPAc6ZFEFxl8qIyE9wF
QGu5HbZDsZWU8YuCzypbttyeklX6i3TxUlITIB4SK6DhIklXXGjaOuIRFtZrnvx/
ATFxgj9xkdkU/9Q/eRKcU9D/lfsxs3P0+IcyXUV6iaquhQ4MZsdSS3zgbD6LuKJC
pbf0SLcQj9+HI51vBWdwkgnlN+84vZcUk/BBBd2X+BJ+OaxuOO9HVBlyAuUUUaCc
UlEbFLf/O5dNa3B6fVSy39NAm0/MzJtCdzNRPcrVp+1hZqiJwqxgVWAOgbwK3Osa
UrbBCzNoFUb0NoGFyFxmgyXCWYHVWwMF/6pBG9IaxKwopU53QbDvCoUJZje7ePpw
jL5r6s8TefRvMo6Qr6/0re7iqFedTy9YYITBXlyUdLlOIsPAu2uYn6AmDKFzSmah
dEAAdNra2WIs0syANZvRSFW/GBuABdeAevaAvIXuNUP8UHjpEEttErv+CVKGJf2Y
P5Tcoa5uWIPY+hAtzfbl
=ctAo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
Posted by Utkarsh Dave <ut...@gmail.com>.
Hi Chris,
Thanks for the response. I am testing using below steps.
>From another machine I am running this command:
openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
HOST is the server ip (on the server where actually ssl needs to be
disabled and server.xml is modified with sslProtocols="TLSv1" )
PORT is 8443 (tomcat)
If the result of above command results in failure. It means SSL is disabled.
How can i know if my JVM recognizes the particular protocol string.
-Thanks
Utkarsh
On Sat, Nov 1, 2014 at 12:52 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Utkarsh,
>
> On 10/31/14 11:52 AM, Utkarsh Dave wrote:
> > Nothing helped much. Please let me know how can i disable SSL in
> > Tomcat 6.0.37.
> >
> > I tried below configuration in server.xml on Tomcat 6.0.37
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> > SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> > sslProtocols = "TLSv1"
> >
> > The same with sslEnabledProtocols instead of sslProtocols worked
> > for Tomcat 7. I am also following solution at
> > https://access.redhat.com/solutions/1232233
>
> The configuration attributes "protocols", "sslProtocols", and
> "sslEnabledProtocols" are all equivalent in Tomcat 6.0.38 and later.
> Before Tomcat 6.0.38, "protocols" and "sslProtocols" are equivalent.
>
> So it shouldn't really matter which one you use. But since you are
> using 6.0.37, then you definitely can't use "sslEnabledProtocols".
>
> So.. what's the problem? With the above configuration, what protocols
> end up being enabled? How are you performing your testing?
>
> You are using the Java BIO connector so it's using JSSE for crypto.
> Those settings you have should work. The default for "sslProtocol" is
> "TLS" which should get you pretty much everything, and restricting
> sslProtocols to "TLSv1" should get you only TLSv1, as long as your JVM
> recognizes that particular protocol string.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV
> uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd
> vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3
> fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL
> 6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT
> B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn
> 3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG
> BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7
> flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7
> gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk
> UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7
> NzqKsmZJjk2x5bbHZERQ
> =9f5b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Unable to disable SSL in Tomcat 6 !
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Utkarsh,
On 10/31/14 11:52 AM, Utkarsh Dave wrote:
> Nothing helped much. Please let me know how can i disable SSL in
> Tomcat 6.0.37.
>
> I tried below configuration in server.xml on Tomcat 6.0.37
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> sslProtocols = "TLSv1"
>
> The same with sslEnabledProtocols instead of sslProtocols worked
> for Tomcat 7. I am also following solution at
> https://access.redhat.com/solutions/1232233
The configuration attributes "protocols", "sslProtocols", and
"sslEnabledProtocols" are all equivalent in Tomcat 6.0.38 and later.
Before Tomcat 6.0.38, "protocols" and "sslProtocols" are equivalent.
So it shouldn't really matter which one you use. But since you are
using 6.0.37, then you definitely can't use "sslEnabledProtocols".
So.. what's the problem? With the above configuration, what protocols
end up being enabled? How are you performing your testing?
You are using the Java BIO connector so it's using JSSE for crypto.
Those settings you have should work. The default for "sslProtocol" is
"TLS" which should get you pretty much everything, and restricting
sslProtocols to "TLSv1" should get you only TLSv1, as long as your JVM
recognizes that particular protocol string.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV
uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd
vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3
fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL
6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT
B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn
3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG
BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7
flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7
gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk
UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7
NzqKsmZJjk2x5bbHZERQ
=9f5b
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
Posted by Utkarsh Dave <ut...@gmail.com>.
Nothing helped much. Please let me know how can i disable SSL in Tomcat
6.0.37.
I tried below configuration in server.xml on Tomcat 6.0.37
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1"
The same with sslEnabledProtocols instead of sslProtocols worked for
Tomcat 7. I am also following solution at
https://access.redhat.com/solutions/1232233
-Regards
Utkarsh
On Thu, Oct 30, 2014 at 10:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 30/10/2014 16:38, Utkarsh Dave wrote:
> > Hello all,
> >
> > To avoid poodle vulnerability we are trying to disable SSL v3 and all its
> > versions through below configuration.
> >
> > <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
> > clientAuth="false" sslProtocols = "TLSv1" />
> >
> >
> > Can you please tell me if we are missing anything and how can we make
> this
> > thing work?
>
> http://wiki.apache.org/tomcat/Security/POODLE
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Unable to disable SSL in Tomcat 6 !
Posted by Mark Thomas <ma...@apache.org>.
On 30/10/2014 16:38, Utkarsh Dave wrote:
> Hello all,
>
> To avoid poodle vulnerability we are trying to disable SSL v3 and all its
> versions through below configuration.
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocols = "TLSv1" />
>
>
> Can you please tell me if we are missing anything and how can we make this
> thing work?
http://wiki.apache.org/tomcat/Security/POODLE
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org