You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jean-frederic clere <jf...@gmail.com> on 2021/07/09 10:08:14 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Hi,
I think we need the same fix in tomcat or I missed something?
If we need it I will work on it next week ;-)
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by jean-frederic clere <jf...@gmail.com>.
On 13/07/2021 11:03, jean-frederic clere wrote:
> On 09/07/2021 18:40, Rainer Jung wrote:
>> Hi Jean-Frederic,
>>
>> how do you make sure, that your tests actually land in the correct
>> SSLHost? You are using the same server certificate, so a check on the
>> client side might not be easy. I would find a test more convincing, if
>> the three TLS hosts would use three different certificates and you
>> could check on the TLS client, that it actually gets the right server
>> certificate.
>
> Yes I have retested with 3 different certificates
> localhost gets the localhost certificate and the TLSv1.1 protocol
> server1 gets the server1 certificate but the TLSv1.1 protocol
> server2 gets the server2 certificate but the TLSv1.1 protocol...
>
> Use nio/nio2 the protocol is the expected one.
https://github.com/apache/tomcat-native/pull/10 the fix for it.
>
>>
>> Best regards,
>>
>> Rainer
>>
>> Am 09.07.2021 um 15:33 schrieb jean-frederic clere:
>>> On 09/07/2021 15:15, Christopher Schultz wrote:
>>>> Jean-Ferderic,
>>>>
>>>> On 7/9/21 07:55, jean-frederic clere wrote:
>>>>> On 09/07/2021 12:38, Mark Thomas wrote:
>>>>>> On 09/07/2021 11:08, jean-frederic clere wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I think we need the same fix in tomcat or I missed something?
>>>>>>>
>>>>>>> If we need it I will work on it next week ;-)
>>>>>>
>>>>>> To clarify, you mean checking Tomcat can (and implementing if it
>>>>>> can't) the ability to configure supported SSL protocols per
>>>>>> virtual host.
>>>>>
>>>>> Yes.
>>>>>
>>>>>>
>>>>>> We should have most of this in SSLHostConfig but I don't recall
>>>>>> ever testing this behaviour specifically.
>>>>>>
>>>>>> Just as a reminder, both <Host .../> elements and <SSLHostConfig
>>>>>> .../> are likely to be required as the are configured separately.
>>>>>
>>>>> Quick test and code review seems to show it is not working (I
>>>>> tested the apr connector and 9.0.x).
>>>>
>>>> Can you post a sample config?
>>>>
>>>> I assume you mean:
>>>>
>>>> 1. Define two <Host>, configure for TLS
>>>> a. One attempting to use e.g. only TLSv1
>>>> b. One attempting to use e.g. only TLSv1.2
>>>>
>>>> 2. Run a protocol-checker against both hosts
>>>>
>>>> Result is that host (a) supports not-only TLSv1 and/or host (b)
>>>> supports not-only TLSv1.2?
>>>
>>> Yes that is what I am testing, actually Nio and Nio2 are working Apr
>>> isn't...
>>>
>>> The configuration is something like:
>>> +++
>>> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
>>> port="8443" maxThreads="200"
>>> scheme="https" secure="true" SSLEnabled="true">
>>> <SSLHostConfig protocols="TLSv1.1">
>>> <Certificate
>>> certificateFile="conf/localhost.server.cert.pem"
>>>
>>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>>> </SSLHostConfig>
>>> <SSLHostConfig hostName="server1" protocols="TLSv1.2">
>>> <Certificate
>>> certificateFile="conf/localhost.server.cert.pem"
>>>
>>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>>> </SSLHostConfig>
>>> <SSLHostConfig hostName="server2" protocols="TLSv1.3">
>>> <Certificate
>>> certificateFile="conf/localhost.server.cert.pem"
>>>
>>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>>> </SSLHostConfig>
>>> </Connector>
>>> +++
>>> and I have the 3 corresponding <Host/>
>
>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by jean-frederic clere <jf...@gmail.com>.
On 09/07/2021 18:40, Rainer Jung wrote:
> Hi Jean-Frederic,
>
> how do you make sure, that your tests actually land in the correct
> SSLHost? You are using the same server certificate, so a check on the
> client side might not be easy. I would find a test more convincing, if
> the three TLS hosts would use three different certificates and you could
> check on the TLS client, that it actually gets the right server
> certificate.
Yes I have retested with 3 different certificates
localhost gets the localhost certificate and the TLSv1.1 protocol
server1 gets the server1 certificate but the TLSv1.1 protocol
server2 gets the server2 certificate but the TLSv1.1 protocol...
Use nio/nio2 the protocol is the expected one.
>
> Best regards,
>
> Rainer
>
> Am 09.07.2021 um 15:33 schrieb jean-frederic clere:
>> On 09/07/2021 15:15, Christopher Schultz wrote:
>>> Jean-Ferderic,
>>>
>>> On 7/9/21 07:55, jean-frederic clere wrote:
>>>> On 09/07/2021 12:38, Mark Thomas wrote:
>>>>> On 09/07/2021 11:08, jean-frederic clere wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I think we need the same fix in tomcat or I missed something?
>>>>>>
>>>>>> If we need it I will work on it next week ;-)
>>>>>
>>>>> To clarify, you mean checking Tomcat can (and implementing if it
>>>>> can't) the ability to configure supported SSL protocols per virtual
>>>>> host.
>>>>
>>>> Yes.
>>>>
>>>>>
>>>>> We should have most of this in SSLHostConfig but I don't recall
>>>>> ever testing this behaviour specifically.
>>>>>
>>>>> Just as a reminder, both <Host .../> elements and <SSLHostConfig
>>>>> .../> are likely to be required as the are configured separately.
>>>>
>>>> Quick test and code review seems to show it is not working (I tested
>>>> the apr connector and 9.0.x).
>>>
>>> Can you post a sample config?
>>>
>>> I assume you mean:
>>>
>>> 1. Define two <Host>, configure for TLS
>>> a. One attempting to use e.g. only TLSv1
>>> b. One attempting to use e.g. only TLSv1.2
>>>
>>> 2. Run a protocol-checker against both hosts
>>>
>>> Result is that host (a) supports not-only TLSv1 and/or host (b)
>>> supports not-only TLSv1.2?
>>
>> Yes that is what I am testing, actually Nio and Nio2 are working Apr
>> isn't...
>>
>> The configuration is something like:
>> +++
>> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
>> port="8443" maxThreads="200"
>> scheme="https" secure="true" SSLEnabled="true">
>> <SSLHostConfig protocols="TLSv1.1">
>> <Certificate
>> certificateFile="conf/localhost.server.cert.pem"
>>
>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>> </SSLHostConfig>
>> <SSLHostConfig hostName="server1" protocols="TLSv1.2">
>> <Certificate
>> certificateFile="conf/localhost.server.cert.pem"
>>
>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>> </SSLHostConfig>
>> <SSLHostConfig hostName="server2" protocols="TLSv1.3">
>> <Certificate
>> certificateFile="conf/localhost.server.cert.pem"
>>
>> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
>> </SSLHostConfig>
>> </Connector>
>> +++
>> and I have the 3 corresponding <Host/>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Jean-Frederic,
how do you make sure, that your tests actually land in the correct
SSLHost? You are using the same server certificate, so a check on the
client side might not be easy. I would find a test more convincing, if
the three TLS hosts would use three different certificates and you could
check on the TLS client, that it actually gets the right server certificate.
Best regards,
Rainer
Am 09.07.2021 um 15:33 schrieb jean-frederic clere:
> On 09/07/2021 15:15, Christopher Schultz wrote:
>> Jean-Ferderic,
>>
>> On 7/9/21 07:55, jean-frederic clere wrote:
>>> On 09/07/2021 12:38, Mark Thomas wrote:
>>>> On 09/07/2021 11:08, jean-frederic clere wrote:
>>>>> Hi,
>>>>>
>>>>> I think we need the same fix in tomcat or I missed something?
>>>>>
>>>>> If we need it I will work on it next week ;-)
>>>>
>>>> To clarify, you mean checking Tomcat can (and implementing if it
>>>> can't) the ability to configure supported SSL protocols per virtual
>>>> host.
>>>
>>> Yes.
>>>
>>>>
>>>> We should have most of this in SSLHostConfig but I don't recall ever
>>>> testing this behaviour specifically.
>>>>
>>>> Just as a reminder, both <Host .../> elements and <SSLHostConfig
>>>> .../> are likely to be required as the are configured separately.
>>>
>>> Quick test and code review seems to show it is not working (I tested
>>> the apr connector and 9.0.x).
>>
>> Can you post a sample config?
>>
>> I assume you mean:
>>
>> 1. Define two <Host>, configure for TLS
>> a. One attempting to use e.g. only TLSv1
>> b. One attempting to use e.g. only TLSv1.2
>>
>> 2. Run a protocol-checker against both hosts
>>
>> Result is that host (a) supports not-only TLSv1 and/or host (b)
>> supports not-only TLSv1.2?
>
> Yes that is what I am testing, actually Nio and Nio2 are working Apr
> isn't...
>
> The configuration is something like:
> +++
> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true">
> <SSLHostConfig protocols="TLSv1.1">
> <Certificate
> certificateFile="conf/localhost.server.cert.pem"
>
> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
> </SSLHostConfig>
> <SSLHostConfig hostName="server1" protocols="TLSv1.2">
> <Certificate
> certificateFile="conf/localhost.server.cert.pem"
>
> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
> </SSLHostConfig>
> <SSLHostConfig hostName="server2" protocols="TLSv1.3">
> <Certificate
> certificateFile="conf/localhost.server.cert.pem"
>
> certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
> </SSLHostConfig>
> </Connector>
> +++
> and I have the 3 corresponding <Host/>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by jean-frederic clere <jf...@gmail.com>.
On 09/07/2021 15:15, Christopher Schultz wrote:
> Jean-Ferderic,
>
> On 7/9/21 07:55, jean-frederic clere wrote:
>> On 09/07/2021 12:38, Mark Thomas wrote:
>>> On 09/07/2021 11:08, jean-frederic clere wrote:
>>>> Hi,
>>>>
>>>> I think we need the same fix in tomcat or I missed something?
>>>>
>>>> If we need it I will work on it next week ;-)
>>>
>>> To clarify, you mean checking Tomcat can (and implementing if it
>>> can't) the ability to configure supported SSL protocols per virtual
>>> host.
>>
>> Yes.
>>
>>>
>>> We should have most of this in SSLHostConfig but I don't recall ever
>>> testing this behaviour specifically.
>>>
>>> Just as a reminder, both <Host .../> elements and <SSLHostConfig
>>> .../> are likely to be required as the are configured separately.
>>
>> Quick test and code review seems to show it is not working (I tested
>> the apr connector and 9.0.x).
>
> Can you post a sample config?
>
> I assume you mean:
>
> 1. Define two <Host>, configure for TLS
> a. One attempting to use e.g. only TLSv1
> b. One attempting to use e.g. only TLSv1.2
>
> 2. Run a protocol-checker against both hosts
>
> Result is that host (a) supports not-only TLSv1 and/or host (b) supports
> not-only TLSv1.2?
Yes that is what I am testing, actually Nio and Nio2 are working Apr
isn't...
The configuration is something like:
+++
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.1">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
<SSLHostConfig hostName="server1" protocols="TLSv1.2">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
<SSLHostConfig hostName="server2" protocols="TLSv1.3">
<Certificate
certificateFile="conf/localhost.server.cert.pem"
certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
</SSLHostConfig>
</Connector>
+++
and I have the 3 corresponding <Host/>
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jean-Ferderic,
On 7/9/21 07:55, jean-frederic clere wrote:
> On 09/07/2021 12:38, Mark Thomas wrote:
>> On 09/07/2021 11:08, jean-frederic clere wrote:
>>> Hi,
>>>
>>> I think we need the same fix in tomcat or I missed something?
>>>
>>> If we need it I will work on it next week ;-)
>>
>> To clarify, you mean checking Tomcat can (and implementing if it
>> can't) the ability to configure supported SSL protocols per virtual host.
>
> Yes.
>
>>
>> We should have most of this in SSLHostConfig but I don't recall ever
>> testing this behaviour specifically.
>>
>> Just as a reminder, both <Host .../> elements and <SSLHostConfig .../>
>> are likely to be required as the are configured separately.
>
> Quick test and code review seems to show it is not working (I tested the
> apr connector and 9.0.x).
Can you post a sample config?
I assume you mean:
1. Define two <Host>, configure for TLS
a. One attempting to use e.g. only TLSv1
b. One attempting to use e.g. only TLSv1.2
2. Run a protocol-checker against both hosts
Result is that host (a) supports not-only TLSv1 and/or host (b) supports
not-only TLSv1.2?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by jean-frederic clere <jf...@gmail.com>.
On 09/07/2021 12:38, Mark Thomas wrote:
> On 09/07/2021 11:08, jean-frederic clere wrote:
>> Hi,
>>
>> I think we need the same fix in tomcat or I missed something?
>>
>> If we need it I will work on it next week ;-)
>
> To clarify, you mean checking Tomcat can (and implementing if it can't)
> the ability to configure supported SSL protocols per virtual host.
Yes.
>
> We should have most of this in SSLHostConfig but I don't recall ever
> testing this behaviour specifically.
>
> Just as a reminder, both <Host .../> elements and <SSLHostConfig .../>
> are likely to be required as the are configured separately.
Quick test and code review seems to show it is not working (I tested the
apr connector and 9.0.x).
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
--
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat
Posted by Mark Thomas <ma...@apache.org>.
On 09/07/2021 11:08, jean-frederic clere wrote:
> Hi,
>
> I think we need the same fix in tomcat or I missed something?
>
> If we need it I will work on it next week ;-)
To clarify, you mean checking Tomcat can (and implementing if it can't)
the ability to configure supported SSL protocols per virtual host.
We should have most of this in SSLHostConfig but I don't recall ever
testing this behaviour specifically.
Just as a reminder, both <Host .../> elements and <SSLHostConfig .../>
are likely to be required as the are configured separately.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org