Tomcat - SSL - Khai's personal knowledge vault.

Tomcat - SSL

https://www.ssllabs.com/ssltest/
http://poodlebleed.com/
https://github.com/nabla-c0d3/sslyze
http://sourceforge.net/projects/sslscan/

http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/ - done reading
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html - done reading
https://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
https://creechy.wordpress.com/2011/08/22/ssl-termination-load-balancers-java/
http://stackoverflow.com/questions/8200853/how-can-i-know-if-the-request-to-the-servlet-was-executed-using-http-or-https
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/tomcat-6.0-doc/apr.html
https://www.owasp.org/index.php/Securing_tomcat
http://www.mulesoft.com/tomcat-security
http://www.mulesoft.com/tcat/tomcat-security
http://www.mulesoft.com/tomcat-ssl
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support#SSL_Support_-_APR/Native
http://serverfault.com/questions/637053/how-can-i-tell-if-my-website-is-vulnerable-to-cve-2014-3566-poodle
http://blog.ricardoamaro.com/content/poodle-sslv3-vulnerability-fix
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
http://stackoverflow.com/questions/12359288/disabling-ssl-tls-renegotiation-in-tomcat
http://superuser.com/questions/747642/how-to-get-the-openssl-version-in-a-tomcat-6-installation
http://grokbase.com/t/tomcat/users/1335h2v5bg/how-to-allow-only-tls-1-1-connections-to-tomcat-6-0-server-with-https
https://access.redhat.com/solutions/1232233
http://askubuntu.com/questions/537293/how-do-i-disable-sslv3-in-tomcat
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_5.0.0/com.ibm.java.security.component.doc.50/secguides/jsse2Docs/JSSE2RefGuide.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
https://www.cs.duke.edu/csed/java/jdk1.7/technotes/guides/plugin/developer_guide/faq/troubleshooting.html

How can we configure Tomcat to handle SSL port?

Edit the conf/server.xml file to include:

<Connector port="44304" maxThreads="150" protocol="HTTP/1.1" 
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="webapps/filename.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
/>

<Connector port="44304" maxThreads="150" protocol="HTTP/1.1" 
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1" sslEnabledProtocols="TLSv1" protocols="TLSv1" allowUnsafeLegacyRenegotiation="false"
    keystoreFile="webapps/filename.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
/>

<Connector port="44304" maxThreads="150" protocol="HTTP/1.1" 
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1" sslEnabledProtocols="TLSv1" protocols="TLSv1"
    keystoreFile="webapps/filename.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
/>

For Tomcat 5 and 6:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

For Tomcat 7, use:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

The answers will vary depending on your Tomcat and Java versions, and if you are using JSSE verses AJP. The differences are as subtle as sslProtocols=TLSv1 verses sslProtocol="TLS" (Notice that s?).

<Connector port="8443" maxThreads="200"
    SSLEnabled="true" scheme="https" secure="true" 
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="${user.home}/.keystore" 
    keystorePass="changeit"
/>

The example above will throw an error if you have the APR and the Tomcat Native libraries in your path, as Tomcat will try to use the APR connector. The APR connector uses different attributes for SSL keys and certificates. An example of an APR configuration is:

<Connector port="8443" maxThreads="200"
    SSLEnabled="true" scheme="https" secure="true" 
    clientAuth="optional" SSLProtocol="TLSv1"
    SSLCertificateFile="/usr/local/ssl/server.crt" 
    SSLCertificateKeyFile="/usr/local/ssl/server.pem"
/>

The configuration options and information on which attributes are mandatory for the JSSE based connectors (BIO and NIO) are documented in the SSL Support section of the HTTP connector configuration reference. The configuration options and information on which attributes are mandatory for the APR connector are documented in the HTTPS section of the APR How-To.

See http://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/ and http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

How can we disable SSL v3?

<Connector port="44304" maxThreads="150" protocol="HTTP/1.1" 
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1" sslEnabledProtocols="TLSv1" protocols="TLSv1" allowUnsafeLegacyRenegotiation="false"
    keystoreFile="webapps/filename.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
/>

sslProtocol: The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. There is overlap between this attribute and sslEnabledProtocols.

sslEnabledProtocols: The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. There is overlap between this attribute and sslProtocol.

For more explicit control, consider using the sslEnabledProtocols attribute in addition to the sslProtocol attributebute. If specified, only protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used.

If you are using JSSE, you can control SSL / TLS parameters via Java Options such as:

java -Dsun.security.ssl.allowUnsafeRenegotiation=true -Dhttps.protocols="SSLv3,SSLv2Hello"

How can we disable weak ciphers?

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

How can we test for the POODLE vulnerability?

The POODLE attack exploit a fault in SSL v3. You need to configure Tomcat not to allow SSL3. After that is done and your Tomcat server is restarted, you can use:

openssl s_client -connect stg-reports.quantros.com
openssl s_client -ssl3 -connect [host]:[port]
curl -v -3 -X HEADcurl -v -3 -X HEAD  https://qmimstrqa01.sfo.quantros.com/MicroStrategy/servlet/mstrWeb

to verify that your server does not support SSL v3. You have to look closely at the output of this command to see if SSL v3 is used or not.

If you use the curl command, and your server does not support SSL v3, you should get an error:

curl: (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

which is what we want.

How can I determine if my Tomcat is using OpenSSL or JSSE?

OpenSSL is not part of Tomcat, but the OpenSSL library is included in the Tomcat 6 windows binary packages available from apache.org. The library code is integrated into a Tomcat dll, there is no openssl.exe included. There are several common modes of deployment for Tomcat on MS-Windows if HTTPS is enabled:

Tomcat standalone server with JSSE connector (Java SSL), OpenSSL is not used
Tomcat standalone server with APR connector, OpenSSL in use

See http://superuser.com/questions/747642/how-to-get-the-openssl-version-in-a-tomcat-6-installation.

I was using Tomcat 6 on Windows, and there was a message in the log file indicating that the APR library was not found, so I must be using JSSE for SSL.

How can we create a keystore file to store the server's private key and self-signed certificate?

Create a keystore file to store the server's private key and self-signed certificate by executing the following command:

// Windows:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA

// Unix
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
secure="true"
SSLEnabled="true" scheme="https"

What is the purpose of the request.isSecure method?

I am not sure how the request.isSecure method work, but we can influence it using the scheme and secure attributes when we configure the Connector:

<Connector port="44304" protocol="HTTP/1.1" SSLEnabled="true" 
    connectionTimeout="360000" 
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="webapps/SSL-demo.safetyrx-11142014.pfx" 
    keystoreType="PKCS12"               
    keystorePass="..." />

https://tomcat.apache.org/tomcat-6.0-doc/config/http.html

page revision: 45, last edited: 18 Feb 2016 20:58

Edit Tags History Files Print Site tools + Options

Khai's personal knowledge vault.

Materials on this site are not original. When possible, references to original articles are listed on each page.

Other interesting sites

Games for Music

🐻🐻🐻

Steel and Stone

塔尔塔罗斯