tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat 6 APR SSL Issue
Date Fri, 17 Oct 2014 17:22:50 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 10/14/14 2:16 PM, James Drews wrote:
> Hi, I have a question that may be a bug, or I'm just not doing
> something right (I'll happily believe either).
> 
> Configuration: Tomcat 6.0 running on Windows Server The
> tcnative-1.dll is the latest from the download site 
> http://tomcat.apache.org/download-native.cgi
> 
> Item #1
> 
> In our tomcat server.xml config, we have:
> 
> <Listener
> className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" /> <Connector port="443" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxHttpHeaderSize="8192" scheme="https" secure="true" 
> SSLEnabled="true" SSLDisableCompression="true" 
> SSLHonorCipherOrder="true" SSLProtocol="TLSv1+SSLv3" 
> SSLCertificateFile="certificate.crt" 
> SSLCertificateKeyFile="certificate.key" 
> SSLCertificateChainFile="chain.crt" 
> SSLCipherSuite="kEECDH+AES256+AESGCM:kEECDH+AES256:kEDH+AES256+AESGCM:kEDH+AES256:kEECDH+AESGCM:kEDH+AESGCM:kEECDH:kEDH:kECDH:kDH:HIGH:-ADH:-MD5:-RC4:-CAMELLIA128:-3DES:-MEDIUM:-LOW:-EXP:-aNULL:-eNULL"
>
>  />
> 
> The issue here is tomcat is only binding to the IPv4 (0.0.0.0)
> address, and not binding to the IPv6 on the box.  If I add a 
> address="0.0.0.0"
> 
> and then duplicate this connector and replace the address option
> with: address="::"
> 
> It binds to both IPv4 and IPv6 as expected. However, tomcat will
> no longer stop when you try to stop the windows service. I have to
> kill the process to get it to stop.  If I only have one or the
> other of the two connectors present, it will stop as expected.
> 
> Also of note, if I used: 
> protocol="org.apache.coyote.http11.Http11Protocol"
> 
> instead, it would bind to both IPv4 and IPv6 as expected when no
> address option is specified (but that method won't take some of the
> options we want to have set).

Check the archives; I seem to recall some oddities when it comes to
APR's use of network interfaces.

> Issue #2
> 
> We would like to have it use: SSLProtocol="TLSv1" but when you have
> just that as the option, it will only talk TLS v1.0, not TLSv1.1 or
> TLSv1.2. Looking briefly at the source code, it looks like you only
> have the option to specify a combination of TLSv1, SSLv2 and SSLv3.
> If we use the option as specified above (TLSv1+SSLv3), it will do
> all three TLS versions and SSLv3.
> 
> Is there a way to get it to do TLS and all three versions of it?

https://issues.apache.org/bugzilla/show_bug.cgi?id=53952

Unfortunately, TLSv1.1 and TLSv1.2 will not be supported until you
have both tcnative 1.1.32 and a Tomcat version that supports the
changes. There is not yet a patch for Tomcat 6 for this, while patches
have been committed for Tomcat 7 and Tomcat 8.

I'm working on a Tomcat 6 patch.

> Also, with SSLv2 not specified, it will still accept that
> protocol, but in the end will fail because no encryption methods
> for it are enabled. Is there a way to have it refuse to talk SSLv2
> from the start?

Usually, SSLv2Hello is used to allow a SSLv2 connection to be
established. This is generally safe (well, until we all decided that
SSLv3 was rubbish).

Once the above updates are released, you will be able to select the
exact set of protocols you want. You should be able to specify
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" and get all the TLSs and no SSLs.
(Also, the definition for "all" has been updated to be "all TLSs and
no SSLs" so you could use that, too).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUQVBqAAoJEBzwKT+lPKRY58oP+wU7d3y4971cxC1Bks67Qjo6
YVlX474OI0t6tICff/WsdradBXxSUfqzO0TnNKnc8VttA1n1EEdoevK+KE+x6gO0
n/XRnAwxQvP7gtHfDGHe52zU090eh92slZXVlJcBe6hAX/uEqfJqD+BExz8M6rtk
oWgam8d1EPMi+sNXImk+OQUMoKlljqRSDduyRwrQc9AJRn7r0bQQffU9k/WlFR19
8JoNyblq/B2NEiGChQ8s+xMyRyzCiB82oIiRPlXZoh2OR10yhRy6lG+VRuw+akvE
Qd79fRIqIoODf2Xp5XpS14ANxLjCxB1Eti49bDa6ydIIWH2QcIiS9DPIvkClVS2s
PYVld7kEWrt2z/96/D0lQWt9pnBzOA2TOGGbJvlXtWEvS8MQk5iHfwmJuCa9b/Kf
8mqDAUvIHx/W1NcSS4mT3Tv5vqFCQbhVwmo1doVdjJr+Vzor7EZpZH6oIhEdFvZE
Rxu0HZxt/w0Qs3ZnKdCrS3+3ssvyhGUtdPYAHBSHoh+gocida+UJia4XLkeY9CyT
bCIftTasPia2UJk+agaDi/HYq4LbzTLy9X6iCoDkkX9Kcms2wl0BEuomRY4BTZDW
gtNCfUtCw3Sd0h8f7JakIY7m3Up6cYlIN1Q4vjD2+mn+AGcijgtVg0T3mWalqOY/
dzyFPvA8MkgFVKUnpeFR
=u7P8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message