You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Utkarsh Dave <ut...@gmail.com> on 2014/11/01 20:33:47 UTC
Re: Unable to disable SSL in Tomcat 6 !
Hi Chris,
Thanks for the response. I am testing using below steps.
>From another machine I am running this command:
openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
HOST is the server ip (on the server where actually ssl needs to be
disabled and server.xml is modified with sslProtocols="TLSv1" )
PORT is 8443 (tomcat)
If the result of above command results in failure. It means SSL is disabled.
How can i know if my JVM recognizes the particular protocol string.
-Thanks
Utkarsh
On Sat, Nov 1, 2014 at 12:52 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Utkarsh,
>
> On 10/31/14 11:52 AM, Utkarsh Dave wrote:
> > Nothing helped much. Please let me know how can i disable SSL in
> > Tomcat 6.0.37.
> >
> > I tried below configuration in server.xml on Tomcat 6.0.37
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> > SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> > sslProtocols = "TLSv1"
> >
> > The same with sslEnabledProtocols instead of sslProtocols worked
> > for Tomcat 7. I am also following solution at
> > https://access.redhat.com/solutions/1232233
>
> The configuration attributes "protocols", "sslProtocols", and
> "sslEnabledProtocols" are all equivalent in Tomcat 6.0.38 and later.
> Before Tomcat 6.0.38, "protocols" and "sslProtocols" are equivalent.
>
> So it shouldn't really matter which one you use. But since you are
> using 6.0.37, then you definitely can't use "sslEnabledProtocols".
>
> So.. what's the problem? With the above configuration, what protocols
> end up being enabled? How are you performing your testing?
>
> You are using the Java BIO connector so it's using JSSE for crypto.
> Those settings you have should work. The default for "sslProtocol" is
> "TLS" which should get you pretty much everything, and restricting
> sslProtocols to "TLSv1" should get you only TLSv1, as long as your JVM
> recognizes that particular protocol string.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV
> uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd
> vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3
> fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL
> 6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT
> B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn
> 3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG
> BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7
> flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7
> gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk
> UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7
> NzqKsmZJjk2x5bbHZERQ
> =9f5b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Unable to disable SSL in Tomcat 6 !
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sun, Nov 2, 2014 at 10:09 AM, Utkarsh Dave <ut...@gmail.com> wrote:
> Is there any other way to disable SSL in Tomcat 6.
How many ways do you need? The process described in this thread
works as indicated with 6.0.37.
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Unable to disable SSL in Tomcat 6 !
Posted by Utkarsh Dave <ut...@gmail.com>.
Hi Chris,
Yes. openssl s_client succeeds (displays no exception) when I have
sslProtocols="TLSv1"
set?
The latest releases of our project uses Tomcat 7, but to support older
releaes we may not upgrade from Tomcat 6 to 7.
Is there any other way to disable SSL in Tomcat 6.
-Utkarsh
On Sun, Nov 2, 2014 at 4:47 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Utkarsh,
>
> On 11/1/14 3:33 PM, Utkarsh Dave wrote:
> > Thanks for the response. I am testing using below steps.
> >
> >> From another machine I am running this command:
> >
> > openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
> >
> >
> > HOST is the server ip (on the server where actually ssl needs to
> > be disabled and server.xml is modified with sslProtocols="TLSv1" )
> >
> > PORT is 8443 (tomcat)
> >
> >
> > If the result of above command results in failure. It means SSL is
> > disabled.
>
> Good.
>
> > How can i know if my JVM recognizes the particular protocol
> > string.
>
> Well, if you use "TLSv1" and Tomcat doesn't emit an error message,
> then you should be good.
>
> So... does openssl s_client succeed when you have sslProtocols="TLSv1"
> set?
>
> You should really upgrade to a more recent version of Tomcat 6.0.x, or
> maybe even Tomcat 7.x or 8.x.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUVWoLAAoJEBzwKT+lPKRY8JIQAIVYkWZJ5UWOxE5uwoZYtzGJ
> LUGDUyWP4+JCmWLyXfeiNF/jR/oz2ApTdH0mWF2/Qs1mhDd4VDmgwVg4t8s1MGAd
> qXeuV3VP4E4d3CkHhfwy42LFKLt2YjUfiYfip5HNFWta71n6wBs5ey7qJ4cf3gQn
> wjg/FY3HjVlR2+flB24TZbetPJyEbhXDi9NKJv7JCXwX8TPAc6ZFEFxl8qIyE9wF
> QGu5HbZDsZWU8YuCzypbttyeklX6i3TxUlITIB4SK6DhIklXXGjaOuIRFtZrnvx/
> ATFxgj9xkdkU/9Q/eRKcU9D/lfsxs3P0+IcyXUV6iaquhQ4MZsdSS3zgbD6LuKJC
> pbf0SLcQj9+HI51vBWdwkgnlN+84vZcUk/BBBd2X+BJ+OaxuOO9HVBlyAuUUUaCc
> UlEbFLf/O5dNa3B6fVSy39NAm0/MzJtCdzNRPcrVp+1hZqiJwqxgVWAOgbwK3Osa
> UrbBCzNoFUb0NoGFyFxmgyXCWYHVWwMF/6pBG9IaxKwopU53QbDvCoUJZje7ePpw
> jL5r6s8TefRvMo6Qr6/0re7iqFedTy9YYITBXlyUdLlOIsPAu2uYn6AmDKFzSmah
> dEAAdNra2WIs0syANZvRSFW/GBuABdeAevaAvIXuNUP8UHjpEEttErv+CVKGJf2Y
> P5Tcoa5uWIPY+hAtzfbl
> =ctAo
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Unable to disable SSL in Tomcat 6 !
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Utkarsh,
On 11/1/14 3:33 PM, Utkarsh Dave wrote:
> Thanks for the response. I am testing using below steps.
>
>> From another machine I am running this command:
>
> openssl s_client -ssl3 -msg -connect <HOST>:<PORT>
>
>
> HOST is the server ip (on the server where actually ssl needs to
> be disabled and server.xml is modified with sslProtocols="TLSv1" )
>
> PORT is 8443 (tomcat)
>
>
> If the result of above command results in failure. It means SSL is
> disabled.
Good.
> How can i know if my JVM recognizes the particular protocol
> string.
Well, if you use "TLSv1" and Tomcat doesn't emit an error message,
then you should be good.
So... does openssl s_client succeed when you have sslProtocols="TLSv1"
set?
You should really upgrade to a more recent version of Tomcat 6.0.x, or
maybe even Tomcat 7.x or 8.x.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJUVWoLAAoJEBzwKT+lPKRY8JIQAIVYkWZJ5UWOxE5uwoZYtzGJ
LUGDUyWP4+JCmWLyXfeiNF/jR/oz2ApTdH0mWF2/Qs1mhDd4VDmgwVg4t8s1MGAd
qXeuV3VP4E4d3CkHhfwy42LFKLt2YjUfiYfip5HNFWta71n6wBs5ey7qJ4cf3gQn
wjg/FY3HjVlR2+flB24TZbetPJyEbhXDi9NKJv7JCXwX8TPAc6ZFEFxl8qIyE9wF
QGu5HbZDsZWU8YuCzypbttyeklX6i3TxUlITIB4SK6DhIklXXGjaOuIRFtZrnvx/
ATFxgj9xkdkU/9Q/eRKcU9D/lfsxs3P0+IcyXUV6iaquhQ4MZsdSS3zgbD6LuKJC
pbf0SLcQj9+HI51vBWdwkgnlN+84vZcUk/BBBd2X+BJ+OaxuOO9HVBlyAuUUUaCc
UlEbFLf/O5dNa3B6fVSy39NAm0/MzJtCdzNRPcrVp+1hZqiJwqxgVWAOgbwK3Osa
UrbBCzNoFUb0NoGFyFxmgyXCWYHVWwMF/6pBG9IaxKwopU53QbDvCoUJZje7ePpw
jL5r6s8TefRvMo6Qr6/0re7iqFedTy9YYITBXlyUdLlOIsPAu2uYn6AmDKFzSmah
dEAAdNra2WIs0syANZvRSFW/GBuABdeAevaAvIXuNUP8UHjpEEttErv+CVKGJf2Y
P5Tcoa5uWIPY+hAtzfbl
=ctAo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org