SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

James H. H. Lampert
I've got an issue here.

On the one hand, we have a Tomcat server running on Amazon (in a
Beanstalk cluster). And we have an AS/400 running an old enough OS that,
so far as I'm aware, cannot be configured to use TLS 1.2 at the current
OS release level. And that AS/400 needs to access that Tomcat server
(which it does, using Scott Klement's open source HTTPAPI product, which
has become pretty much an industry standard for the purpose).

And on the other hand, we are getting a security report from SSLLabs,
telling us that our security rating is capped at "B" because we allow
TLS 1.0 and 1.1.

BUT, our entire office is on a static IP address, and we already know
how to open a port on our Amazon firewall to only accept traffic from
our office IP.

Given all this, is it possible to (1) have Tomcat listen on two separate
HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
other accept something our AS/400 can use?

--
James H. H. Lampert

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

Mark Thomas-2
On 17/07/2020 17:55, James H. H. Lampert wrote:

> I've got an issue here.
>
> On the one hand, we have a Tomcat server running on Amazon (in a
> Beanstalk cluster). And we have an AS/400 running an old enough OS that,
> so far as I'm aware, cannot be configured to use TLS 1.2 at the current
> OS release level. And that AS/400 needs to access that Tomcat server
> (which it does, using Scott Klement's open source HTTPAPI product, which
> has become pretty much an industry standard for the purpose).
>
> And on the other hand, we are getting a security report from SSLLabs,
> telling us that our security rating is capped at "B" because we allow
> TLS 1.0 and 1.1.
>
> BUT, our entire office is on a static IP address, and we already know
> how to open a port on our Amazon firewall to only accept traffic from
> our office IP.
>
> Given all this, is it possible to (1) have Tomcat listen on two separate
> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
> other accept something our AS/400 can use?

Yes. You need two Connector elements specifying different ports and
different protocols. They should be able to use the same certificate
configuration.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

jonmcalexander
It works quite well.

Sorry for the top post, I only have outlook and it sucks in this respect.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Friday, July 17, 2020 12:03 PM
To: [hidden email]
Subject: Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

On 17/07/2020 17:55, James H. H. Lampert wrote:

> I've got an issue here.
>
> On the one hand, we have a Tomcat server running on Amazon (in a
> Beanstalk cluster). And we have an AS/400 running an old enough OS
> that, so far as I'm aware, cannot be configured to use TLS 1.2 at the
> current OS release level. And that AS/400 needs to access that Tomcat
> server (which it does, using Scott Klement's open source HTTPAPI
> product, which has become pretty much an industry standard for the purpose).
>
> And on the other hand, we are getting a security report from SSLLabs,
> telling us that our security rating is capped at "B" because we allow
> TLS 1.0 and 1.1.
>
> BUT, our entire office is on a static IP address, and we already know
> how to open a port on our Amazon firewall to only accept traffic from
> our office IP.
>
> Given all this, is it possible to (1) have Tomcat listen on two
> separate HTTPS ports, and (2) have one of the ports require TLS 1.2,
> but the other accept something our AS/400 can use?

Yes. You need two Connector elements specifying different ports and different protocols. They should be able to use the same certificate configuration.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

James H. H. Lampert
In reply to this post by Mark Thomas-2
Running two connectors seems to work just fine, but I'm having trouble
getting one of them to only take TLS 1.2

In reply to my query:

>> Given all this, is it possible to (1) have Tomcat listen on two separate
>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
>> other accept something our AS/400 can use?

On 7/17/20 10:03 AM, Mark Thomas wrote:

> Yes. You need two Connector elements specifying different ports and
> different protocols. They should be able to use the same certificate
> configuration.

I just ran a test on our development Amazon EC2 instance, and verified
that I could listen on two different ports (existing 8443 and now 7443),
and I limited (or so I thought) 8443 (to which I have 443 rerouted
through iptables) to TLS 1.2.

Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!

I commented out the connector for 8443 and restarted Tomcat, but it's
still giving the same report from SSLLabs.

The connector for 8443 in server.xml looks like this (lines truncated):
> <Connector port="8443" proxyPort="443" protocol="org.apache.coyote.http1$
>  compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$
>                maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>                keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>                clientAuth="false" sslProtocol="TLSv1.2" />

The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7
installation on our most security-conscious customer's AS/400; this
Tomcat is 8.5. Am I specifying it wrong?

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

jonmcalexander
This looks like a cipher, not an alias

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: James H. H. Lampert <[hidden email]>
Sent: Friday, July 17, 2020 3:47 PM
To: Tomcat Users List <[hidden email]>
Subject: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

Running two connectors seems to work just fine, but I'm having trouble getting one of them to only take TLS 1.2

In reply to my query:

>> Given all this, is it possible to (1) have Tomcat listen on two
>> separate HTTPS ports, and (2) have one of the ports require TLS 1.2,
>> but the other accept something our AS/400 can use?

On 7/17/20 10:03 AM, Mark Thomas wrote:

> Yes. You need two Connector elements specifying different ports and
> different protocols. They should be able to use the same certificate
> configuration.

I just ran a test on our development Amazon EC2 instance, and verified that I could listen on two different ports (existing 8443 and now 7443), and I limited (or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 1.2.

Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!

I commented out the connector for 8443 and restarted Tomcat, but it's still giving the same report from SSLLabs.

The connector for 8443 in server.xml looks like this (lines truncated):
> <Connector port="8443" proxyPort="443"
> protocol="org.apache.coyote.http1$
>  compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$
>                maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>                keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>                clientAuth="false" sslProtocol="TLSv1.2" />

The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 installation on our most security-conscious customer's AS/400; this Tomcat is 8.5. Am I specifying it wrong?

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

James H. H. Lampert
On 7/17/20 2:36 PM, [hidden email] wrote:
> This looks like a cipher, not an alias
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256

It is. The lines are truncated at 72 characters for the email.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

James H. H. Lampert
In reply to this post by jonmcalexander
On 7/17/20 2:36 PM, [hidden email] wrote:
> This looks like a cipher, not an alias
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256

As I said, of course it's a cipher. I said up front that the lines were
truncated, in order to fit in an email.

I can't imagine why seeing the whole connector would make a difference,
but if anybody wants to see it un-truncated, (albeit with the same
redactions), it's now also on ServerFault, at
   https://serverfault.com/q/1025706/498231?sem=2

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

Mark Thomas-2
In reply to this post by James H. H. Lampert
On 17/07/2020 21:47, James H. H. Lampert wrote:

> Running two connectors seems to work just fine, but I'm having trouble
> getting one of them to only take TLS 1.2
>
> In reply to my query:
>
>>> Given all this, is it possible to (1) have Tomcat listen on two separate
>>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
>>> other accept something our AS/400 can use?
>
> On 7/17/20 10:03 AM, Mark Thomas wrote:
>
>> Yes. You need two Connector elements specifying different ports and
>> different protocols. They should be able to use the same certificate
>> configuration.
>
> I just ran a test on our development Amazon EC2 instance, and verified
> that I could listen on two different ports (existing 8443 and now 7443),
> and I limited (or so I thought) 8443 (to which I have 443 rerouted
> through iptables) to TLS 1.2.
>
> Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!
>
> I commented out the connector for 8443 and restarted Tomcat, but it's
> still giving the same report from SSLLabs.
>
> The connector for 8443 in server.xml looks like this (lines truncated):
>> <Connector port="8443" proxyPort="443" protocol="org.apache.coyote.http1$
>>  compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$
>>                maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>>                keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>>                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>>                clientAuth="false" sslProtocol="TLSv1.2" />
>
> The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7
> installation on our most security-conscious customer's AS/400; this
> Tomcat is 8.5. Am I specifying it wrong?

I should probably remind myself why this is the way this is.

You want:

sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2"

And to answer my question above, because that is the way the JSSE API
has been written.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 7/18/20 10:01, Mark Thomas wrote:

> On 17/07/2020 21:47, James H. H. Lampert wrote:
>> Running two connectors seems to work just fine, but I'm having
>> trouble getting one of them to only take TLS 1.2
>>
>> In reply to my query:
>>
>>>> Given all this, is it possible to (1) have Tomcat listen on
>>>> two separate HTTPS ports, and (2) have one of the ports
>>>> require TLS 1.2, but the other accept something our AS/400
>>>> can use?
>>
>> On 7/17/20 10:03 AM, Mark Thomas wrote:
>>
>>> Yes. You need two Connector elements specifying different ports
>>> and different protocols. They should be able to use the same
>>> certificate configuration.
>>
>> I just ran a test on our development Amazon EC2 instance, and
>> verified that I could listen on two different ports (existing
>> 8443 and now 7443), and I limited (or so I thought) 8443 (to
>> which I have 443 rerouted through iptables) to TLS 1.2.
>>
>> Except that SSLLabs tells me it's still accepting TLS 1.0 and
>> 1.1!
>>
>> I commented out the connector for 8443 and restarted Tomcat, but
>> it's still giving the same report from SSLLabs.
>>
>> The connector for 8443 in server.xml looks like this (lines
>> truncated):
>>> <Connector port="8443" proxyPort="443"
>>> protocol="org.apache.coyote.http1$ compression="on"
>>> compressionMinSize="2048" noCompressionUserAgents="goz$
>>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>>> clientAuth="false" sslProtocol="TLSv1.2" />
>>
>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the
>> Tomcat 7 installation on our most security-conscious customer's
>> AS/400; this Tomcat is 8.5. Am I specifying it wrong?
>
> I should probably remind myself why this is the way this is.
>
> You want:
>
> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
>
> And to answer my question above, because that is the way the JSSE
> API has been written.

We should probably just merge these into a single attribute and "do
the right thing":

1. If not specified, do nothing unusual
2. If the value includes a ",", use it for sslEnabledProtocols, use
"TLS" as sslProtocol
3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols

Practically speaking, the only useful value for sslProtocol today is
"TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
sslEnabledProtocols to TLSv1.2 but using the same value for both has
the same effect, of course.

In the future, if anything other than "TLS" makes sense for
sslProtocol, we can change Tomcat to support that.

We should also probably have SSLEnabled="true" be the default if any
TLS-related configuration option is used on a connector.

WDYT?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8UQsgACgkQHPApP6U8
pFhGag/+IjZWCK1XSHsUr51tmTAz9JmK2eIabQsf7fIM3pmjXBCKJqYcsEd6tR//
cDAgV/mjA6BRXVpl3D4kCsmp8w8yCghirWXYRj4Qs6aKp3a6KgRsQyB7eDnClfQ0
0ic5pjsd699t1vcBxvwC59drs8HCnzDoEfJu91RyYcMl1s/2UiVG8Fg0k4ztw+GQ
abhgdmJILtIe0H8q8t5tOverjAnUXJhfoc0Nxd1FaLFRNHQKS80O9vlXODzz0ngE
wDDppmbEI5fcnK1YTp/qJYEQ2Bdn3zvOywWvLeZQYmBEuh0x4wLOQsjFJgwt45uT
3ocIuHAtbqWQOXZ//WzPof91CAIMOPV8nZdBtH5op5RJJpu5dPvnKS73MD/8WZWJ
v+YBl9AIrrW/2r+U+h8XfrFpsUNGFwG4pNTE4CtkUdoR+hkcgcX2vSI8zG0OyTuu
cwoMcVQsMQPhnMNLIpR/Y+lBce8hf2U8m6Bs5To8EWTclzlY7UuU75vC6SUdP3fv
2ULHtivG9xOiSEX635eiVpQ2U/1vQjH5KugpsdJ1AoiaDUFF+qDFa5fSiqYeBw8z
PCuDCyJW89BzCjnbzQH6PKuXE4iRPudsJJ+5fplWwKai3vboR3JX5vUlzczuUfqg
FpaOHtHEQ08N7y2NB9KzFe0AdbH8iJ9CY1gwahXgDQ9bQgO9nsY=
=qmvC
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

James H. H. Lampert
Mark Thomas and Christopher Schultz wrote:

>> You want:
>>
>> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
>>
>> And to answer my question above, because that is the way the JSSE
>> API has been written.
>
> We should probably just merge these into a single attribute and "do
> the right thing":
>
> 1. If not specified, do nothing unusual
> 2. If the value includes a ",", use it for sslEnabledProtocols, use
> "TLS" as sslProtocol
> 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols
>
> Practically speaking, the only useful value for sslProtocol today is
> "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
> sslEnabledProtocols to TLSv1.2 but using the same value for both has
> the same effect, of course.
>
> In the future, if anything other than "TLS" makes sense for
> sslProtocol, we can change Tomcat to support that.
>
> We should also probably have SSLEnabled="true" be the default if any
> TLS-related configuration option is used on a connector.
>
> WDYT?

Well, I think (from direct experience) that for Tomcat 7 running on an
AS/400, "merge these into a single attribute and 'do the right thing'"
*is* how it works, so the entirety of Christopher's suggestion makes
perfect sense to me.

At any rate, thanks to both of you; it works.

Although it does raise the question of whether the observed behavior in
Tomcat 7 on an AS/400 is a Tomcat 7 thing or an AS/400 thing.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled?

Mark Thomas-2
In reply to this post by Christopher Schultz-2
On 19/07/2020 13:55, Christopher Schultz wrote:

> Mark,
>
> On 7/18/20 10:01, Mark Thomas wrote:
>> On 17/07/2020 21:47, James H. H. Lampert wrote:
>>> Running two connectors seems to work just fine, but I'm having
>>> trouble getting one of them to only take TLS 1.2
>>>
>>> In reply to my query:
>>>
>>>>> Given all this, is it possible to (1) have Tomcat listen on
>>>>> two separate HTTPS ports, and (2) have one of the ports
>>>>> require TLS 1.2, but the other accept something our AS/400
>>>>> can use?
>>>
>>> On 7/17/20 10:03 AM, Mark Thomas wrote:
>>>
>>>> Yes. You need two Connector elements specifying different ports
>>>> and different protocols. They should be able to use the same
>>>> certificate configuration.
>>>
>>> I just ran a test on our development Amazon EC2 instance, and
>>> verified that I could listen on two different ports (existing
>>> 8443 and now 7443), and I limited (or so I thought) 8443 (to
>>> which I have 443 rerouted through iptables) to TLS 1.2.
>>>
>>> Except that SSLLabs tells me it's still accepting TLS 1.0 and
>>> 1.1!
>>>
>>> I commented out the connector for 8443 and restarted Tomcat, but
>>> it's still giving the same report from SSLLabs.
>>>
>>> The connector for 8443 in server.xml looks like this (lines
>>> truncated):
>>>> <Connector port="8443" proxyPort="443"
>>>> protocol="org.apache.coyote.http1$ compression="on"
>>>> compressionMinSize="2048" noCompressionUserAgents="goz$
>>>> maxThreads="1000" socket.appReadBufSize="1024" socket.app$
>>>> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
>>>> clientAuth="false" sslProtocol="TLSv1.2" />
>>>
>>> The 'sslProtocol="TLSv1.2"' clause is copied directly from the
>>> Tomcat 7 installation on our most security-conscious customer's
>>> AS/400; this Tomcat is 8.5. Am I specifying it wrong?
>
>> I should probably remind myself why this is the way this is.
>
>> You want:
>
>> sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
>
>> And to answer my question above, because that is the way the JSSE
>> API has been written.
>
> We should probably just merge these into a single attribute and "do
> the right thing":
>
> 1. If not specified, do nothing unusual
> 2. If the value includes a ",", use it for sslEnabledProtocols, use
> "TLS" as sslProtocol
> 3. Otherwise, use value for both sslProtocol AND sslEnabledProtocols

Seems reasonable.

> Practically speaking, the only useful value for sslProtocol today is
> "TLS". You can specify e.g. "TLSv1.2" and I think it will restrict
> sslEnabledProtocols to TLSv1.2 but using the same value for both has
> the same effect, of course.
>
> In the future, if anything other than "TLS" makes sense for
> sslProtocol, we can change Tomcat to support that.
>
> We should also probably have SSLEnabled="true" be the default if any
> TLS-related configuration option is used on a connector.

That might catch a few folks by surprise but it does seem reasonable.

I think there is scope in Tomcat 10 to clean up the TLS configuration a
little more. We have a couple of months until Jakarta EE 9 is released
so there is time to improve this.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]