Ssl – How to configure Tomcat connector to use both SSL and TLS protocols

connectorssltomcat7

I have a Tomcat 7.0 server that I want to configure to listen on HTTPS port. I'm using Nio protocol and I want it to support both SSLv3 and TLS protocols (I know that SSLv3 is insecure, but I need to provide that ability). Here is how it looks now:

<Connector
        port="443"
        SSLEnabled="true"
        clientAuth="false"
        disableUploadTimeout="true"
        enableLookups="false"
        keyAlias="myalias"
        keystoreFile="mykeystore"
        keystorePass="mypass"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        scheme="https"
        secure="true"
        sslProtocol="TLS"
        sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2" />

The question is what value should I use as sslProtocol? According to documentation SSL enables any SSL protocol, and TLS any TLS protocol, but how to enable both? I tried to set "SSL,TLS" and "SSL_TLS" but these values are invalid.

Best Answer

According to examples in Tomcat 7 SSL/TLS HOWTO, Edit the Tomcat Configuration File the delimiter is +:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt"
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

Strange this is not in the documentation!

Related Solutions

Ssl – Internet Explorer 8 – TLS Fatal Error Close Notify – Oracle HTTP – Server Apache 2.2.22.0

SSLCipherSuite ALL:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3

Since you disable all SSL 3.0 ciphers and since TLS 1.0 and TLS 1.1 just use the SSL 3.0 ciphers and since IE 8 does not support TLS 1.2 there will be no shared ciphers. You will probably find some error messages about this in your log files.

Note, that the POODLE attack is a design flaw in the SSL 3.0 protocol, not in the SSL 3.0 ciphers. Thus you should only disable the protocol, not the ciphers.

Also, your current cipher suite includes very dangerous ciphers, because it includes ADH ciphers which don't require any form of identification of the server. With such ciphers man-in-the-middle attacks are possible.

Edit: in your comment you mention that the client is using Windows 7. Windows 7 should support TLS 1.2 but since the client obviously did not do much updates on the system (otherwise there would be no IE 8 in use) it might be that there are problems with IE 8 and TLS 1.2.

Ssl – Configuring Tomcat 7 to use TLS only

To debug the situation you can use the command line tools of openssl, especially openssl s_client. By adding the options -tls1, -tls1_1 and -tls1_2 you can test compatibility for the protocols, and with -cipher [cipherlist] for ciphers. For example

openssl s_client -connect example.com:443 -tls1

You will get detailed information and possibly warnings about the connection, the certificate and features (like Renegotiation, Compression, etc.). This will help to debug the issue.

Best Answer

Related Solutions

Ssl – Internet Explorer 8 – TLS Fatal Error Close Notify – Oracle HTTP – Server Apache 2.2.22.0

Ssl – Configuring Tomcat 7 to use TLS only

Related Topic