I am using tomcat version 6. I want to configure ssl by specifying some ciphers in HTTP connector . I am following below link which describes how to configure HTTP connector to prevent logjam vulnerability.
https://weakdh.org/sysadmin.html
Before changes my connector configuration was like this
<Connector sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver"
keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme"
maxKeepAliveRequests="15" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
redirectPort="8443" scheme="https" secure="true"/>
After changes my connector configuration is like this.I just added ciphers to it.
<Connector ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WIT_RC4_128_SHA"
sslProtocols = "TLS" SSLEnabled="true" acceptCount="100" connectionTimeout="20000"
executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443"
scheme="https" secure="true"/>
But its not working.To make it work i had to change from
protocol="org.apache.coyote.http11.Http11NioProtocol" to protocol="HTTP/1.1".
But i want to use org.apache.coyote.http11.Http11NioProtocol as it is non-blocking and more efficient.
Please tell me how to do this.
I just checked the logs of tomcat and i was getting illegal argument exception whenever i tried to hit my ssl enabled web page.
The issue was with ciphers. In Tomcat 6 some of ciphers won't work if i use org.apache.coyote.http11.Http11NioProtocol. I don't know the particular reason of it.But the name of the ciphers i removed from my connector are given below. Now, i can open my ssl enabled webpages.If anybody know the answer please post.
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Related
With IE dying off, I need to get Tomcat9 to use TLS1.2 only. I cant have TLS1.3 or any other protocol working. I have tried different connectors and the site becomes unreachable. I feel I am close with this config below, but with this Edge gives me unsupported protocol.
<Connector port="443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" SSLProtocol = "TLSv1.2"
SSLEngine="on"
connectionTimeout="20000"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256"
I have a single instance deployment of WSO2 and now I want to be able to access the carbon management services like publisher/store etc through http. I have tried the following configurations in catalina-server.xml. I also want to use nginx as reverse proxy through http port for carbon consoles. Please help. I have also tried editing the axis2.xml to add port mappings for nginx 80 and 443 port. Currently when i run carbon console through 9763 it gets redirected to 9443 and after adding mappings in axis2.xml it responds as requested url not found for /publisher/..../login.jag
<Server port="8005" shutdown="SHUTDOWN">
<Service className="org.wso2.carbon.tomcat.ext.service.ExtendedStandardService" name="Catalina">
<!--
optional attributes:
proxyPort="80"
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9763"
bindOnInit="false"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
compression="on"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
URIEncoding="UTF-8"/>
<!--
optional attributes:
proxyPort="443"
Added sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" for poodle vulnerability fix
-->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
bindOnInit="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
maxThreads="250"
minSpareThreads="50"
disableUploadTimeout="false"
enableLookups="false"
connectionUploadTimeout="120000"
maxKeepAliveRequests="200"
acceptCount="200"
server="WSO2 Carbon Server"
clientAuth="false"
compression="on"
scheme="https"
secure="true"
SSLEnabled="true"
compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/javascript,application/x-javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg"
keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
keystorePass="wso2carbon"
URIEncoding="UTF-8"/>
<Engine name="Catalina" defaultHost="localhost">
<!--Realm className="org.apache.catalina.realm.MemoryRealm" pathname="${carbon.home}/repository/conf/tomcat/tomcat-users.xml"/-->
<Realm className="org.wso2.carbon.tomcat.ext.realms.CarbonTomcatRealm"/>
<Host name="localhost" unpackWARs="true" deployOnStartup="false" autoDeploy="false"
appBase="${carbon.home}/repository/deployment/server/webapps/">
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs"
prefix="http_access_" suffix=".log"
pattern="combined"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve" threshold="600"/>
<Valve className="org.wso2.carbon.tomcat.ext.valves.CompositeValve"/>
</Host>
</Engine>
</Service>
Uncomment the following line in carbon.xml.
<EnableHTTPAdminConsole>true</EnableHTTPAdminConsole>
Please note this is not recommended in production environments.
I have a web application deployed on tomcat 7.0.23, and there are two connectors are set, almost default value.
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
compression="on"
compressableMimeType="text/xml"
address="SERVER_HOSTNAME" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="400" scheme="https" secure="true"
address="SERVER_HOSTNAME"
clientAuth="false" SSLProtocol="ALL"
SSLCertificateFile="/PATH/tomcat-server.crt"
SSLCertificateKeyFile="/PATH/tomcat-server.rsa"
SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
compression="on" compressableMimeType="text/xml"/>
After tomcat just restarts, both http:8080 and https:8443 work fine. While after a few days, the 8080 will not work, but the 8443 still works fine. The meaning of "8080 not work" is when using firefox to access the http:8080, some resources like js/css files will unavailable randomly.
In firebug, sometimes the A.js file will be shown as "Aborted", sometime the B.js will be shown as "Aborted". I tried to access one single file, like http://:8080/js/A.js file, the result is also random, sometime the full content can be shown in browser, sometime http request is aborted.
I also tried to increase the connectionTimeout to "60000", the only change thing is in Firebug, the aborted request was 0B but now is actual size. The only way to make 8080 work fine is to restart the tomcat.
Please someone tell me what's the cause or which way I should try? Thanks.
Another process might be taking the port 8080 somehow. And this process does not respond correctly to requests you address to Tomcat.
So, next time you see this issue, before restarting Tomcat, check which process the port 8080 currently belongs to.
On Linux I use the following command for this:
netstat -nlpt | grep 8080
One of the columns (the last one if I remember correctly) will be the ID of the process that consumes the port.
In case you have a Windows setup, use
netstat -ano | find "LISTENING" | find "8080"
Then find this PID in the Task Manager.
FYI: Windows Task Manager – showing the PID
I am trying to load SSL certificate to one of our site. We are using JBoss AS 7.0.2 for our application on Ubuntu Server 12.04, it's running successfully on http while on https it's not responding. Server is starting successfully without any exception. Kindly suggest the steps to debug this problem.
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="true" secure="true">
<ssl password="******" certificate-key-file="/mnt/jboss/******" verify-client="false" certificate-file="/mnt/jboss/********.key"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
i did a restart of my tomcat 7 web-server yesterday, because I deployed a second webapp. I have added a 'GlobalNamingResources' to server.xml but did not change anything else!
After the restart my ROOT App was not accessible anymore via http, only via https.
Here are my connectors from server.xml:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
<Connector
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.base}/conf/.keystore"
keystorePass="***"
clientAuth="false"
sslProtocol="TLS"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml, .... [some more]"
/>
could it be that redirectPort="443" should better be redirectPort="8443"? However, this was working before.
highly appreciate any ideas. Thank you!