tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Dorsa <mdo...@overlandstorage.com>
Subject Problem enabling SSLv3 in Tomcat 8.5.15
Date Tue, 20 Jun 2017 23:34:54 GMT
Hi Tomcat Users,

I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 3rd-party component
of our product requires SSLv3 and there's no getting around it!)  Our Tomcat is running on
a custom Linux distribution based on Centos 7, and we're running Java 1.8.0_131.  Note that
I've already (and correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is correctly
enabled when running our existing Tomcat 7.0.47.  My guess is that I have an incorrect server.xml
configuration (for Tomcat 8), but the Tomcat documentation (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support)
as I read it, seems to say that simply setting the "protocols" attribute of the SSLHostConfig
element to include "SSLv3" should do the job.

Thank you in advance for any help offered!
Marc

----------------------------------------------
Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443"
server=" "
             acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false"
acceptCount="100"
                  scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true"
server=" "
                 ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WIT
H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
              clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/.keystore" >
        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT" allowLinking="true">
                    <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true"
docBase="" />
                </Context> 
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is indeed enabled (and our 3rd-party component
works correctly):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols                    pfs_keysize
1     DHE-DSS-AES128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
2     EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits

----------------------------------------------
And here is the server.xml file that, unfortunately, does *not* enable SSLv3 for Tomcat 8.5.15:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
    <Service name="Tomcat-Standalone">
        <Connector  port="80" protocol="HTTP/1.1" enableLookups="false" redirectPort="443"
server=" "
             acceptCount="100" connectionTimeout="660000" disableUploadTimeout="true" />
        <Connector  port="443" protocol="HTTP/1.1" SSLEnabled="true" enableLookups="false"
acceptCount="100" 
                  scheme="https" secure="true" connectionTimeout="660000" disableUploadTimeout="true"
server=" ">
                <SSLHostConfig protocols="+SSLv3, +TLSv1, +TLSv1.1, +TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA">
                        <Certificate certificateKeystoreFile="/etc/.keystore" certificateKeystoreType="JKS"
certificateKeystorePassword="changeit" />
                </SSLHostConfig>

        </Connector>
        <Engine name="Standalone" defaultHost="MyHostName">
            <Host     name="MyHostName" appBase="webapps"
                unpackWARs="true" autoDeploy="true">
                <Context path="" docBase="ROOT">
                    <Resources allowLinking="true" />
                </Context>
            </Host>
        </Engine>
    </Service>
</Server>

Here are the scan results showing that SSLv3 is *not* enabled (and our 3rd-party component
does *not* work):
# ./cipherscan MyHostName:443
prio  ciphersuite           protocols              pfs_keysize
1     DHE-DSS-AES128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
2     EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits

Here is Tomcat's logging at startup (notice the SSLv3 warning):
..
Tomcat started.
-sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-nio-80"]
Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool getSharedSelector
INFO: Using a shared selector for servlet write/read
Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
WARNING: Some of the specified [protocols] are not supported by the SSL engine and have been
skipped: [[SSLv3]]
..


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message