Enable TLS 1.2 only in apache-tomcat-9 and Java 8

Question

I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java

Openjdk version 1.8.x
Oracle Java 1.8.x

I need to allow TLS 1.2 only.

Please help guide me to achieve this.

I have tried to follow the following links(Not sure if they are outdated).

But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.

how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8

How do I disable SSLv3 in tomcat?

Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)

How do I disable SSLv3 support in Apache Tomcat?

Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8

score 2 · Answer 1 · answered Jan 03 '19 at 02:52

I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig protocols="TLSv1.1,TLSv1.2">     
    <Certificate certificateKeystoreFile="conf/keystore.jks" 
                     type="RSA" />
    </SSLHostConfig>
</Connector>

See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

score 1 · Answer 2 · answered Oct 17 '18 at 15:08

1

You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt"
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>

Please refer this configuration guide and try that out.

answered Oct 17 '18 at 15:08

Ravindra Ranwala

20,744
6
45
63

Using https://www.mkyong.com/tomcat/how-to-configure-tomcat-to-support-ssl-or-https/, I have configured <<> – lab bhattacharjee Oct 17 '18 at 15:16
Anyway I don't see a property called `sslEnabledProtocols` in the documentation. – Ravindra Ranwala Oct 17 '18 at 15:18
As mentioned in the Question, https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled. – lab bhattacharjee Oct 17 '18 at 15:19
Change your `SSLProtocol="TLSv1.2"` and check that again. – Ravindra Ranwala Oct 17 '18 at 15:20
I shall do that. But there is already one sslProtocol="SSL" as found in many documents. Are these attributes of connector case sensitive. Shall I remove sslProtocol ? – lab bhattacharjee Oct 17 '18 at 15:24
yeah there may be subtle changes between different versions. Better stick to the exact documentation of that version IMHO. – Ravindra Ranwala Oct 17 '18 at 15:25
The difference is due the Connector protocol (See https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File). The following configuration did not help – lab bhattacharjee Oct 17 '18 at 16:26
I shall try with your Http11AprProtocol. But do I need to use https://stackoverflow.com/questions/24343681/how-to-convert-trust-certificate-from-jks-to-pem ? – lab bhattacharjee Oct 17 '18 at 16:28
@labbhattacharjee Did you get it to work with the Http11NioProtocol? I am trying to figure out an implementation for TLSv1.3 – coderunner Mar 11 '20 at 09:51

score 0 · Answer 3 · answered Apr 18 '19 at 21:20

If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.

if("TLSv1.2".equals(requestContext.getProperty("org.apache.tomcat.util.net.secure_protocol_version"))
{
   throw new IllegalStateException("Invalid TLS version");
}

This example is from Tomcat 8, but I suspect an option may be available for other containers.

Enable TLS 1.2 only in apache-tomcat-9 and Java 8

3 Answers3

Linked

Related