tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanaullah <sanaulla...@gmail.com>
Subject Re: Does APR/tomcat-native support TLS 1.2?
Date Tue, 02 Sep 2014 18:10:43 GMT
I face the same issue with tomcat 7.0.47. you can find the details below,
how i apply the patches and things get worked.

By default there is no support for TLSv1.1 or TLSv1.2 in Tomcat 7.0.47. you
have to apply these two patches in order to run TLSv1.1 and tlsv1.2
https://issues.apache.org/bugzilla/attachment.cgi?id=30150
https://issues.apache.org/bugzilla/attachment.cgi?id=30166

I spend 5 hours to test this. I am using ubuntu trusty.

Here is my test result

root@ubuntu:/opt/tomcat-native-1.1.29/jni/native# openssl s_client -connect
127.0.0.1:8443
CONNECTED(00000003)
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MX, ST = Some-State, O = uni, OU = admin, CN = ubuntu
verify return:1
---
Certificate chain
 0 s:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
   i:/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
---

Server certificate
-----BEGIN CERTIFICATE-----
MIIB5zCCAY6gAwIBAgIJAIgQsiTjPbouMAkGByqGSM49BAEwUTELMAkGA1UEBhMC
TVgxEzARBgNVBAgMClNvbWUtU3RhdGUxDDAKBgNVBAoMA3VuaTEOMAwGA1UECwwF
YWRtaW4xDzANBgNVBAMMBnVidW50dTAeFw0xNDAxMDUwMjE0NDZaFw0yNDAxMDMw
MjE0NDZaMFExCzAJBgNVBAYTAk1YMRMwEQYDVQQIDApTb21lLVN0YXRlMQwwCgYD
VQQKDAN1bmkxDjAMBgNVBAsMBWFkbWluMQ8wDQYDVQQDDAZ1YnVudHUwWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAQMy2uSVwbPg1wPOXrqsnvE7YZZ46k1HzMGlpJg
+aPFJOKAbYuMYG6f5PY634Qn6qWBuyeorj8epZBlY1f573Kko1AwTjAdBgNVHQ4E
FgQU6k2A1GIkIUw+BkDRJLV+664BKQYwHwYDVR0jBBgwFoAU6k2A1GIkIUw+BkDR
JLV+664BKQYwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gAMEUCIQCYpIAwCJ+p
X/C2F6Cqa3xU6dpfuFnwqHL4PfQX4Yv+TQIgewShairhIVKvpWicOnuChYY72RjZ
EmVg3uQq9XxPfiI=
-----END CERTIFICATE-----
subject=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu
issuer=/C=MX/ST=Some-State/O=uni/OU=admin/CN=ubuntu

---
No client certificate CA names sent
---
SSL handshake has read 828 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-GCM-SHA384

Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDH-ECDSA-AES256-GCM-SHA384
    Session-ID:
AE5EAC55628B803E4D395AF88A0BBF5536FD0A051E31E6261A92E997B270EA3C
    Session-ID-ctx:
    Master-Key:
45C7008AD0BD31B57F786226278BF1CD98C6BA464EF529D60E48FC9BFB60E286412BDAB0CB51EAE6763B822E81F32B6A

    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2e 81 a3 90 ff 13 f9 8b-e9 87 1c 56 c4 dc 49 51
...........V..IQ
    0010 - c2 f3 2b f9 61 45 20 d5-a8 50 50 eb f4 1d 41 cf   ..+.aE
..PP...A.
    0020 - d7 76 29 03 b5 5b 35 c4-e9 c3 d8 c3 3b 3e 6d c9
.v)..[5.....;>m.
    0030 - d7 cb 92 d9 ab ac 54 23-df 39 2d 5a f1 fc 5e 21
......T#.9-Z..^!
    0040 - cb a0 37 ea 66 59 f6 1b-5f b7 91 2a d1 85 d3 ed
..7.fY.._..*....
    0050 - 5d 72 12 8b 5e dd 29 ac-8c 49 f6 07 50 ef ba 16
]r..^.)..I..P...
    0060 - 23 92 f6 63 79 d4 36 23-ba e9 a3 35 79 92 68 e6
#..cy.6#...5y.h.
    0070 - 0f c8 15 be ef 95 3c 77-ee 86 d1 85 27 20 e8 8a   ......<w....'
..
    0080 - 40 11 a1 d2 8e 8a 68 ab-5e c9 81 3d 72 46 56 d8
@.....h.^..=rFV.
    0090 - 84 66 b7 6f 57 ce 0f 05-d0 52 a4 d3 9c 66 de b4
.f.oW....R...f..
    00a0 - 85 cb 9f fe 85 16 e2 35-df 46 c2 c8 fc 37 bb 48
.......5.F...7.H

    Start Time: 1388926368

    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=0


/////////////////*******Server.xml***********************///////////////////////////

 <Connector port="8443"

protocol="org.apache.coyote.http11.Http11AprProtocol"
                SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               SSLProtocol="all"
               clientAuth="false"

               SSLCertificateFile="/home/san/sinful.pem"
               SSLCertificateKeyFile="/home/san/sinful.key" />


........................................................................................................................................................
How To Apply the patches.

1- https://issues.apache.org/bugzilla/attachment.cgi?id=30150 , this patch
will be applied to tomcat-native-1.1.29.  after the patch compile it using
cd tomcat-native-1.1.29/jni/native/
./configure --with-java=/usr/lib/jvm/java-1.7.0-openjdk-i386 --with-ssl=yes
--with-apr=/usr/bin/apr-1-config
make
cd tomcat-native-1.1.29/jni
ant

copy the libs and place them to default lib directory of ubuntu
cp tomcat-native-1.1.29/jni/native/.libs/* /usr/lib/i386-linux-gnu/


2- Get the source code of tomcat-7.0.47.
install  jdk6

apply this patch https://issues.apache.org/bugzilla/attachment.cgi?id=30166
to tomcat-7.0.47.
export the jdk6 path.
run "ant" in the source folder. this will download many files and also
compile the code.

there will be some errors related to SSLV2. comment that code. as sslv2
will no more supported. after the successful build start the tomcat server.

let me know if there is still any errors.

Regards,
Sanaullah


On Tue, Sep 2, 2014 at 10:34 PM, Amos Anderson <amos.anderson@protabit.com>
wrote:

> Hello Tomcat Users --
>
> I posted this question elsewhere yesterday and then realized I should have
> sent it to this mailing list.
>
>
> I'm trying to configure tomcat7 to support TLS 1.2 (which was released 6
> years ago). I can get TLS 1.0 to work, but NIST [says][1] that I "shall
> not" use TLS 1.0. I know I can use JSSE instead to get TLS 1.2, but why
> can't I get APR to support it? A few online guides I've read recommend APR
> over JSSE, it looks like I get better ciphers out of the box with
> APR/OpenSSL than JSSE, and I can use cipher suites with OpenSSL so it seems
> easier to maintain.
>
> According to [this][2] bug report it might be available with a patch, but
> I'd have guessed it would be standard by now. Is there some other gratis
> way of getting OpenSSL in tomcat, or is it simply the case that there's
> insufficient interest tomcat native for security purposes?
>
> For reference, I've got Tomcat 7.0.55 and tomcat-native 1.1.30. I don't
> get any warning during startup, and I know I'm only getting TLS 1.0 is
> because that's what clicking the lock in my browser tells me and [Qualys
> SSL Labs][3] says TLS 1.2 is not available on my server. My connector is:
>
>     <Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
>     ...
>     SSLProtocol="TLSv1"/>
>
> And note that `TLSv1` is the [only][4] TLS value allowed for
> `SSLProtocol`. Following `mod_ssl`'s `SSLProtocol`, I tried `TLSv1.2` but
> that drew an exception. Unfortunately, I can't find any discussion of this
> online.
>
>
> Thanks!
> Amos.
>
>
>
>
>   [1]:
> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
>   [2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
>   [3]: https://www.ssllabs.com/ssltest/index.html
>   [4]:
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message