tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat v8.5.3 SSL Configuration?
Date Wed, 10 Aug 2016 18:49:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Venkat,

Please bottom-post, or interleave your responses. It's much easier to
follow the conversation and is the custom on this mailing list. See
below for my response.

On 8/10/16 2:37 PM, venkatesham nalla wrote:
> Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig
> element. It is resulting in the following exception:
> 
> 
> INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"] SEVERE
> - Failed to initialize end point associated with ProtocolHandler
> ["https-jsse-nio -58043"] java.lang.IllegalArgumentException:
> sslUtilBase.noneSupported at
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80)
>
> 
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148) 
> at
> org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImpl
ementat
>
> 
ion.java:49)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEnd
>
> 
point.java:83)
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245) 
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:839)

There
> 
might be an implementation bug or maybe just a lack of clarity
of the documentation. I would have expected "all,-TLSv1" to work.

Try this instead:

<SSLHostConfig protocols="TLSv1.1,TLSv1.2" ...>
   <Certificate ... />
</SSLHostConfig>

If that doesn't work, either something else is wrong (wrong
<Connector>? undisclosed reverse proxy?) or there is a bug in Tomcat.

- -chris

> ________________________________ From: Christopher Schultz
> <chris@christopherschultz.net> Sent: Wednesday, August 10, 2016
> 4:55:18 PM To: Tomcat Users List Subject: Re: Tomcat v8.5.3 SSL
> Configuration?
> 
> Venkat,
> 
> On 8/10/16 12:43 PM, venkatesham nalla wrote:
>> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2, 
>> but it is not working on AIX. It is only supporting TLSv1. I
>> have added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
> 
> I'm not sure that system property does anything, since Tomcat 
> explicitly-configures its own SSLServerSocketFactory.
> 
>> Java version 1.7.0 IBM J9 VM SR1.
> 
>> Tomcat 7.0.39 is working with the following config on the same 
>> machine with same JDK
> 
>> ---------------------------------------------------------------------
- -
>
>> 
- ----------------------------------------
> 
>> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" 
>> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false" 
>> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." />
> 
>> Tomcat 8.5.3 SSL Configuration
> 
>> -----------------------------------------
> 
>> <Connector port="58043" 
>> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>> 
>> <SSLHostConfig> <Certificate protocols="-TLSv1" 
>> certificateKeystoreFile="..." 
>> certificateKeystorePassword="changeit" certificateKeyAlias="..." 
>> sslProtocol="TLS" /> </SSLHostConfig> </Connector>
> 
> You have two problems, here:
> 
> 1. The "protocols" attribute goes on the <SSLHostConfig> element,
> not the nested <Certificate> element.
> 
> 2. The value of "-TLSv1" by itself doesn't do what you think it
> does. The default list of protocols is "none", so you'll have to
> add "all" first. So your value needs to be "TLSv1.2,TLSv1.1" just
> like it was for Tomcat 7, or you need to use something like
> "all,-TLSv1" to get it to use "all default protocols, except for
> TLSv1".
> 
> -chris
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXq3cnAAoJEBzwKT+lPKRYRNEP/1cKXJ0RIDI2eaLmluMG35rG
p5fiYt12TMXSa/dyxRifuceWMF+1fjJtXGuHQEr6KspZFCbuF4Kmn/1Xs/GaGj1+
Zr1RutpOB/MqJEYsFYznlVVuObljJgWFl+lO/8ROoeNGOv6gxAUMXprp1eJPaDJw
hEZaTS7JZuk/WH3wL3ly/6X792B3+pGSyf8r+x8ctCs3+OgCgN60LT9P10gDQNE9
hHcEoe9LWrRfMvHaVWiZpFEibteCxDNVzu3BvZK4kEU2Q0SOK5H6hwwp316FOGdJ
0Wn6lgUu1SQHyXuJpPzkamDv+gva/8CpB74/EYz12/U7uajFwqNUYy2aXNOIWWMM
R0VdPYmswD+qKHi+UqPqXWW6v57Aw+TKPng/Ec/G1hG5c6lsHlWnTgOm/ePG9Y+7
4TN7CrPL5SiyrwZy87N1rnP1nxRud6ilOIXjwPcKAVLoU/NyU6mo7ivctDrQVJku
Img1dVgd3THrmar2tgdQWBglmowITGAZGSW0X4l+15oOPpqzp2QZIohH91+k2kSK
Zl6/aHzLVZ3zMKdW3yzshfy7xBDZtUDj7vimOKv90t0a2IeB7ScF7av012ohkUpx
rRSctwQbJX2u+bg+balkoDGCsd8zlyVEML/pdBx26XXx6iaNqw8u0q2xmt+VWji8
KQB0EhDqHl/e7jQH8w4C
=IiV4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message