Tomcat 9 what combination of Ciphers work with TLS1.2 only - tls1.2

With IE dying off, I need to get Tomcat9 to use TLS1.2 only. I cant have TLS1.3 or any other protocol working. I have tried different connectors and the site becomes unreachable. I feel I am close with this config below, but with this Edge gives me unsupported protocol.
<Connector port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" SSLProtocol = "TLSv1.2"
SSLEngine="on"
connectionTimeout="20000"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256"

Related

Cannot access Tomcat from external IP address

I installed tomcat on my virtual machine (on Azure) but failed to access it from an external IP address. I tried some methods I found on stack overflow, but they did not seem to work. The port forwarding tester also says Port 8080 is closed on [my_ip_address]. I did manage to access it from localhost:8080 or 127.0.0.1:8080. I run curl 127.0.0.1:8080 and it returns the correct webpage. In addition, nginx is also able to access the website through the port.
The firewall is not running.
> sudo firewall-cmd --list-all
FirewallD is not running
Tomcat configuration file
I added address="0.0.0.0", but it does not work in my case.
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080"
address="0.0.0.0"
useIPVHosts="true"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define an SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--
<Connector protocol="AJP/1.3"
address="::1"
port="8009"
redirectPort="8443" />
-->
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
resolveHosts="true" prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Active Internet Connections
I managed to bind Apache Tomcat to IPv4 as suggested by confused genius, but it still did not work.
> netstat -ant
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN
tcp 0 36 10.0.0.4:22 75.84.33.143:59788 ESTABLISHED
tcp 0 0 127.0.0.1:8080 127.0.0.1:57604 TIME_WAIT
tcp 0 0 127.0.0.1:59724 127.0.0.1:8005 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57584 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57518 TIME_WAIT
tcp 0 0 127.0.0.1:8080 127.0.0.1:57520 TIME_WAIT
tcp 0 0 10.0.0.4:80 75.84.33.143:59952 ESTABLISHED
tcp 0 0 10.0.0.4:80 75.84.33.143:59953 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5355 :::* LISTEN
From netstat -ant output , port 8080 is listenting only on tcp6 (ipv6) but not on tcp(ipv4).
tcp6 0 0 :::8080 :::* LISTEN
so it needs to be enabled for ipv4 as well in order to access it the host ip address
check this link it might help
I found the solution. It actually has nothing to do with Tomcat. The problem lies in Azure: you need to explicitly allow the port to be accessible in Azure. Adding it to the firewall does not solve the problems. (You can add inbound port rule in Home/[VM]/Networking)

WSO2 disabling port redirect from 9763 to 9443

I have a single instance deployment of WSO2 and now I want to be able to access the carbon management services like publisher/store etc through http. I have tried the following configurations in catalina-server.xml. I also want to use nginx as reverse proxy through http port for carbon consoles. Please help. I have also tried editing the axis2.xml to add port mappings for nginx 80 and 443 port. Currently when i run carbon console through 9763 it gets redirected to 9443 and after adding mappings in axis2.xml it responds as requested url not found for /publisher/..../login.jag
<Server port="8005" shutdown="SHUTDOWN">
<Service className="org.wso2.carbon.tomcat.ext.service.ExtendedStandardService" name="Catalina">
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<!--
optional attributes:
proxyPort="443"
Added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" for poodle vulnerability fix
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
<Engine name="Catalina" defaultHost="localhost">
<!--Realm className="org.apache.catalina.realm.MemoryRealm" pathname="${carbon.home}/repository/conf/tomcat/tomcat-users.xml"/-->
<Realm className="org.wso2.carbon.tomcat.ext.realms.CarbonTomcatRealm"/>
<Host name="localhost" unpackWARs="true" deployOnStartup="false" autoDeploy="false"
appBase="${carbon.home}/repository/deployment/server/webapps/">
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
prefix="http_access_" suffix=".log"
pattern="combined"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve" threshold="600"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CompositeValve"/>
</Host>
</Engine>
</Service>
Uncomment the following line in carbon.xml.
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>
Please note this is not recommended in production environments.

Configuration for HTTP Connector of apache tomcat server

I am using tomcat version 6. I want to configure ssl by specifying some ciphers in HTTP connector . I am following below link which describes how to configure HTTP connector to prevent logjam vulnerability.
https://weakdh.org/sysadmin.html
Before changes my connector configuration was like this
<Connector sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver"
keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme"
maxKeepAliveRequests="15" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
redirectPort="8443" scheme="https" secure="true"/>
After changes my connector configuration is like this.I just added ciphers to it.
<Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_25‌6_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WIT_RC4_128_SHA"
sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443"
scheme="https" secure="true"/>
But its not working.To make it work i had to change from
protocol="org.apache.coyote.http11.Http11NioProtocol" to protocol="HTTP/1.1".
But i want to use org.apache.coyote.http11.Http11NioProtocol as it is non-blocking and more efficient.
Please tell me how to do this.
I just checked the logs of tomcat and i was getting illegal argument exception whenever i tried to hit my ssl enabled web page.
The issue was with ciphers. In Tomcat 6 some of ciphers won't work if i use org.apache.coyote.http11.Http11NioProtocol. I don't know the particular reason of it.But the name of the ciphers i removed from my connector are given below. Now, i can open my ssl enabled webpages.If anybody know the answer please post.
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_25‌​6_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Https not working JBoss AS 7.0.2

I am trying to load SSL certificate to one of our site. We are using JBoss AS 7.0.2 for our application on Ubuntu Server 12.04, it's running successfully on http while on https it's not responding. Server is starting successfully without any exception. Kindly suggest the steps to debug this problem.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="true" secure="true">
<ssl password="******" certificate-key-file="/mnt/jboss/******" verify-client="false" certificate-file="/mnt/jboss/********.key"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>

webapp on tomcat 7 only available via ssl (http not working, https working)

i did a restart of my tomcat 7 web-server yesterday, because I deployed a second webapp. I have added a 'GlobalNamingResources' to server.xml but did not change anything else!
After the restart my ROOT App was not accessible anymore via http, only via https.
Here are my connectors from server.xml:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
<Connector
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.base}/conf/.keystore"
keystorePass="***"
clientAuth="false"
sslProtocol="TLS"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
could it be that redirectPort="443" should better be redirectPort="8443"? However, this was working before.
highly appreciate any ideas. Thank you!

Resources