This week's book giveaways are in the Angular and TypeScript and Web Services forums.
We're giving away four copies each of Programming with Types and The Design of Web APIs and have the authors on-line!
See this thread and this one for details.
Win a copy of Programming with Types this week in the Angular and TypeScript forum
or The Design of Web APIs in the Web Services forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Henry Wong
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Joe Ess
  • salvin francis

How to reconfigure the server.xml file to enable TSLv1.2 only

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a web application using tomcat which is SSL configured and is currently using TSLV1 and TSLv1.1 and i need to reconfigure it so it used TSLv1.2

Java version 1.8 ,Tomcat version 8.5

The current connector code in the server.xml file is working fine (https://URL is working fine)


1. On checking the server.xml  the connector port is defined as:
   <Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystorePass="xxx" keystoreFile="xxx" maxThreads="150" minSpareThreads="25" acceptCount="100" enableLookups="false"/>

2. To reconfigure the tomcat to use TSLv1.2 we need to make the above code as:
   <Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols=”TLSv1.2” keystorePass="xxx" keystoreFile="xxx" maxThreads="150" minSpareThreads="25" acceptCount="100" enableLookups="false"/>

Steps to perform this change:

1. Stop tomcat
2. Make the above code changes in the config file.
3. Restart the tomcat.
4. Test the URL

Also is there a way to verify if the protocol is using TSLv1.2 version only. Please note, we cannot install any 3rd party tool or utility to check this on the server due to client restrictions.

Thanks!


 
Saloon Keeper
Posts: 5982
154
Android Mac OS X Firefox Browser VI Editor Tomcat Server Safari
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the host is publicly accessible, you could run a test with https://www.ssllabs.com/ssltest/. But given that the port is 8443, it probably isn't.

If you can get to the same network with an Android device, you can run an SSL scan with an app like this one. Or from a laptop equipped with https://github.com/rbsec/sslscan/
 
Saloon Keeper
Posts: 2881
370
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Moores wrote:If the host is publicly accessible, you could run a test with https://www.ssllabs.com/ssltest/. But given that the port is 8443, it probably isn't.


SSL Labs is a great test/analysis tool, but as Tim mentioned, it isn't going to work with a port other than 443.  One work-around, if you have Internet-facing firewall, would be to temporarily rewrite the destination port for Internet traffic for port 443 to 8443, so that the online tool would be able to access your Tomcat instance.
 
Ron McLeod
Saloon Keeper
Posts: 2881
370
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another option would be to use nmap - it will show supported versions of TLS as well as the cipher suites:
 
Ron McLeod
Saloon Keeper
Posts: 2881
370
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another way would be using curl, and forcing it to use the various SSL/TLS versions to see which ones are supported:

The version options are:
    --tlsv1
    --tlsv1.0
    --tlsv1.1
    --tlsv1.2
    --sslv2
    --sslv3
 
Saloon Keeper
Posts: 21458
143
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Hetal!

It's also worth noting that for web applications that will appear on the public Internet (where you would need to be most careful about limiting TLS protocols), that it's generally not recommended to connect Tomcat directly.

DNS services don't record port numbers, only IP addresses, so http will assume port 80 by default and https will assume port 443. To get to port 8443, the client would have to explicitly request it in their URL request (that is, https://myserver.com:8443). Which is inconvenient and error prone.

Port values below 4096 are not available to general application program users such as Tomcat, so to actually use Tomcat directly on ports 80 and 443 would require running Tomcat as a privileged user, which is a security risk.

More often, a reverse proxy server such as Apache, Nginx or IIS is used as the public web interface and an internal connection is made from the proxy server to Tomcat. The internal connection is generally not encrypted, since it's usually done vie an encoded channel and one hopes that your backend LAN is secured against public access anyway. So in a case like this, the limits on transport protocols would be made in the configuration of the proxy server, not Tomcat, since that's where the decryption will be done.

In addition to software proxy servers there are also hardware proxy servers, which are often also load balancers for a cluster of backend appservers. Here, too, the TLS constraints to would be done in their configurations.
 
And when my army is complete, I will rule the world! But, for now, I'm going to be happy with this tiny ad:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!