You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by venkatesham nalla <v_...@hotmail.com> on 2016/08/10 16:43:39 UTC
Re: Tomcat v8.5.3 SSL Configuration?
Hi,
I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2, but it is not working on AIX. It is only supporting TLSv1. I have added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
Java version 1.7.0 IBM J9 VM SR1.
Tomcat 8.5.3 SSL Configuration
-----------------------------------------
<Connector port="58043" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true" scheme="https" secure="true"
>
<SSLHostConfig>
<Certificate
protocols="-TLSv1"
certificateKeystoreFile="..."
certificateKeystorePassword="changeit"
certificateKeyAlias="..."
sslProtocol="TLS"
/>
</SSLHostConfig>
</Connector>
Tomcat 7.0.39 is working with the following config on the same machine with same JDK
--------------------------------------------------------------------------------------------------------------
<Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.1"
clientAuth="false" sslProtocol="SSL"
keystoreFile="..." keystorePa
ss="..." />
appreciate your time and help.
Thanks,
Venkat
Re: Tomcat v8.5.3 SSL Configuration?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Venkat,
Please bottom-post, or interleave your responses. It's much easier to
follow the conversation and is the custom on this mailing list. See
below for my response.
On 8/10/16 2:37 PM, venkatesham nalla wrote:
> Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig
> element. It is resulting in the following exception:
>
>
> INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"] SEVERE
> - Failed to initialize end point associated with ProtocolHandler
> ["https-jsse-nio -58043"] java.lang.IllegalArgumentException:
> sslUtilBase.noneSupported at
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80)
>
>
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148)
> at
> org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImpl
ementat
>
>
ion.java:49)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEnd
>
>
point.java:83)
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:839)
There
>
might be an implementation bug or maybe just a lack of clarity
of the documentation. I would have expected "all,-TLSv1" to work.
Try this instead:
<SSLHostConfig protocols="TLSv1.1,TLSv1.2" ...>
<Certificate ... />
</SSLHostConfig>
If that doesn't work, either something else is wrong (wrong
<Connector>? undisclosed reverse proxy?) or there is a bug in Tomcat.
- -chris
> ________________________________ From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Wednesday, August 10, 2016
> 4:55:18 PM To: Tomcat Users List Subject: Re: Tomcat v8.5.3 SSL
> Configuration?
>
> Venkat,
>
> On 8/10/16 12:43 PM, venkatesham nalla wrote:
>> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2,
>> but it is not working on AIX. It is only supporting TLSv1. I
>> have added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
>
> I'm not sure that system property does anything, since Tomcat
> explicitly-configures its own SSLServerSocketFactory.
>
>> Java version 1.7.0 IBM J9 VM SR1.
>
>> Tomcat 7.0.39 is working with the following config on the same
>> machine with same JDK
>
>> ---------------------------------------------------------------------
- -
>
>>
- ----------------------------------------
>
>> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false"
>> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." />
>
>> Tomcat 8.5.3 SSL Configuration
>
>> -----------------------------------------
>
>> <Connector port="58043"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>>
>> <SSLHostConfig> <Certificate protocols="-TLSv1"
>> certificateKeystoreFile="..."
>> certificateKeystorePassword="changeit" certificateKeyAlias="..."
>> sslProtocol="TLS" /> </SSLHostConfig> </Connector>
>
> You have two problems, here:
>
> 1. The "protocols" attribute goes on the <SSLHostConfig> element,
> not the nested <Certificate> element.
>
> 2. The value of "-TLSv1" by itself doesn't do what you think it
> does. The default list of protocols is "none", so you'll have to
> add "all" first. So your value needs to be "TLSv1.2,TLSv1.1" just
> like it was for Tomcat 7, or you need to use something like
> "all,-TLSv1" to get it to use "all default protocols, except for
> TLSv1".
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXq3cnAAoJEBzwKT+lPKRYRNEP/1cKXJ0RIDI2eaLmluMG35rG
p5fiYt12TMXSa/dyxRifuceWMF+1fjJtXGuHQEr6KspZFCbuF4Kmn/1Xs/GaGj1+
Zr1RutpOB/MqJEYsFYznlVVuObljJgWFl+lO/8ROoeNGOv6gxAUMXprp1eJPaDJw
hEZaTS7JZuk/WH3wL3ly/6X792B3+pGSyf8r+x8ctCs3+OgCgN60LT9P10gDQNE9
hHcEoe9LWrRfMvHaVWiZpFEibteCxDNVzu3BvZK4kEU2Q0SOK5H6hwwp316FOGdJ
0Wn6lgUu1SQHyXuJpPzkamDv+gva/8CpB74/EYz12/U7uajFwqNUYy2aXNOIWWMM
R0VdPYmswD+qKHi+UqPqXWW6v57Aw+TKPng/Ec/G1hG5c6lsHlWnTgOm/ePG9Y+7
4TN7CrPL5SiyrwZy87N1rnP1nxRud6ilOIXjwPcKAVLoU/NyU6mo7ivctDrQVJku
Img1dVgd3THrmar2tgdQWBglmowITGAZGSW0X4l+15oOPpqzp2QZIohH91+k2kSK
Zl6/aHzLVZ3zMKdW3yzshfy7xBDZtUDj7vimOKv90t0a2IeB7ScF7av012ohkUpx
rRSctwQbJX2u+bg+balkoDGCsd8zlyVEML/pdBx26XXx6iaNqw8u0q2xmt+VWji8
KQB0EhDqHl/e7jQH8w4C
=IiV4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat v8.5.3 SSL Configuration?
Posted by venkatesham nalla <v_...@hotmail.com>.
Chris,
Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig element. It is resulting in the following exception:
INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"]
SEVERE - Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio
-58043"]
java.lang.IllegalArgumentException: sslUtilBase.noneSupported
at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47)
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148)
at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementat
ion.java:49)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEnd
point.java:83)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:839)
Thanks,
Venkat
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, August 10, 2016 4:55:18 PM
To: Tomcat Users List
Subject: Re: Tomcat v8.5.3 SSL Configuration?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Venkat,
On 8/10/16 12:43 PM, venkatesham nalla wrote:
> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2,
> but it is not working on AIX. It is only supporting TLSv1. I have
> added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
I'm not sure that system property does anything, since Tomcat
explicitly-configures its own SSLServerSocketFactory.
> Java version 1.7.0 IBM J9 VM SR1.
>
> Tomcat 7.0.39 is working with the following config on the same
> machine with same JDK
>
> ----------------------------------------------------------------------
- ----------------------------------------
>
> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false"
> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." />
>
> Tomcat 8.5.3 SSL Configuration
>
> -----------------------------------------
>
> <Connector port="58043"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>
> <SSLHostConfig> <Certificate protocols="-TLSv1"
> certificateKeystoreFile="..."
> certificateKeystorePassword="changeit" certificateKeyAlias="..."
> sslProtocol="TLS" /> </SSLHostConfig> </Connector>
You have two problems, here:
1. The "protocols" attribute goes on the <SSLHostConfig> element, not
the nested <Certificate> element.
2. The value of "-TLSv1" by itself doesn't do what you think it does.
The default list of protocols is "none", so you'll have to add "all"
first. So your value needs to be "TLSv1.2,TLSv1.1" just like it was
for Tomcat 7, or you need to use something like "all,-TLSv1" to get it
to use "all default protocols, except for TLSv1".
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXq1x2AAoJEBzwKT+lPKRYo2MQAJmFahBS/K112A6rNhxWsMzP
gMLsRMf8EpRePiU3cUqwkA/pVMWOEHNFhKG1RPVRxGyKMcrBD9v8qZkiADpMLumw
/2IWSBt0P3bqaHvU8Nt0Fw3jt7BVLsbKvOaojf6ttz8WJB87NH6exLr2S5Wxb+OK
Nl6ZZ4E6lFDqLuFvC1c0Ajl35ZgECJOtRRCe6iHoh5Gup62bvluBDnaghSyvxTQd
7130lMlmDQZmVpfF35sPWAc3rxZPKD4vlQY7wkBjqbyPhhqG6CNvkzbKEICIYxZL
sF2Y56t/vdbRnpwX+57QLG4+VAEiKzd2x6VqtYvjZPbZb5lPWSGYl6HVlKKNtBdL
kBtie7vPJiqnAFoPVWuuIrXG/2ZTo2kJT0G5/2M9j3OnGbmgAmOmwHddGB84dkcH
whg/scqC2+yCWaOZ/rvbcWyed/vXU9f819bGAQgHcparSp3BVvxdQ8K6kor6YHTP
7D7Dg/EMqmFiU7RaITsoWh8v46mVoUVxpcK2DMXovXzCAG1M4NUPFAoLtkDawFkg
6rFK7wfHapm45UpCwq48EhXfmIxxtSZjOZmjFEOglhbM2wXj8v8q+WF1s5onhzW1
0aLMTslgXuAB+B/RpHQUc5UgIYT9PxLys5MIbcXd46ElcTqFHHeDNdYQmQ28X0YG
e348uesCFhvThpj9Joko
=NgBM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat v8.5.3 SSL Configuration?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Venkat,
On 8/10/16 12:43 PM, venkatesham nalla wrote:
> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2,
> but it is not working on AIX. It is only supporting TLSv1. I have
> added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
I'm not sure that system property does anything, since Tomcat
explicitly-configures its own SSLServerSocketFactory.
> Java version 1.7.0 IBM J9 VM SR1.
>
> Tomcat 7.0.39 is working with the following config on the same
> machine with same JDK
>
> ----------------------------------------------------------------------
- ----------------------------------------
>
> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false"
> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." />
>
> Tomcat 8.5.3 SSL Configuration
>
> -----------------------------------------
>
> <Connector port="58043"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>
> <SSLHostConfig> <Certificate protocols="-TLSv1"
> certificateKeystoreFile="..."
> certificateKeystorePassword="changeit" certificateKeyAlias="..."
> sslProtocol="TLS" /> </SSLHostConfig> </Connector>
You have two problems, here:
1. The "protocols" attribute goes on the <SSLHostConfig> element, not
the nested <Certificate> element.
2. The value of "-TLSv1" by itself doesn't do what you think it does.
The default list of protocols is "none", so you'll have to add "all"
first. So your value needs to be "TLSv1.2,TLSv1.1" just like it was
for Tomcat 7, or you need to use something like "all,-TLSv1" to get it
to use "all default protocols, except for TLSv1".
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXq1x2AAoJEBzwKT+lPKRYo2MQAJmFahBS/K112A6rNhxWsMzP
gMLsRMf8EpRePiU3cUqwkA/pVMWOEHNFhKG1RPVRxGyKMcrBD9v8qZkiADpMLumw
/2IWSBt0P3bqaHvU8Nt0Fw3jt7BVLsbKvOaojf6ttz8WJB87NH6exLr2S5Wxb+OK
Nl6ZZ4E6lFDqLuFvC1c0Ajl35ZgECJOtRRCe6iHoh5Gup62bvluBDnaghSyvxTQd
7130lMlmDQZmVpfF35sPWAc3rxZPKD4vlQY7wkBjqbyPhhqG6CNvkzbKEICIYxZL
sF2Y56t/vdbRnpwX+57QLG4+VAEiKzd2x6VqtYvjZPbZb5lPWSGYl6HVlKKNtBdL
kBtie7vPJiqnAFoPVWuuIrXG/2ZTo2kJT0G5/2M9j3OnGbmgAmOmwHddGB84dkcH
whg/scqC2+yCWaOZ/rvbcWyed/vXU9f819bGAQgHcparSp3BVvxdQ8K6kor6YHTP
7D7Dg/EMqmFiU7RaITsoWh8v46mVoUVxpcK2DMXovXzCAG1M4NUPFAoLtkDawFkg
6rFK7wfHapm45UpCwq48EhXfmIxxtSZjOZmjFEOglhbM2wXj8v8q+WF1s5onhzW1
0aLMTslgXuAB+B/RpHQUc5UgIYT9PxLys5MIbcXd46ElcTqFHHeDNdYQmQ28X0YG
e348uesCFhvThpj9Joko
=NgBM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org