2

I have a tomcat webapp where the client is using TLS1.2 but a technical scan found the server is still using TLS1.0. I want to enable TLS1.2. We are using Java 7 and the connector snippet for the server.xml is as below,

   <Connector SSLEnabled="true" acceptCount="100" clientAuth="true" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000" 
            socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2024" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" 
            keystoreFile="/cert/fic_rest.jks" keystorePass="********" 
            truststoreFile="/cert/fic_rest.jks" server="UnIdentified" compression="on" compressionMinSize="2048" 
            noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
    />
<!-- Define an AJP 1.3 Connector on port 2023 -->
<Connector port="2023" protocol="AJP/1.3" redirectPort="2022" />

    <Connector  acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000" 
            socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2020" protocol="org.apache.coyote.http11.Http11NioProtocol" server="UnIdentified"
    />

Would changing "sslProtocol="TLS" to "sslProtocol="TLSv1.2" is all that is enough? We are using tomcat 7.0.82

Sijo Kurien
  • 95
  • 2
  • 10
  • Does this answer your question? [Enable TLS 1.2 only in apache-tomcat-9 and Java 8](https://stackoverflow.com/questions/52857932/enable-tls-1-2-only-in-apache-tomcat-9-and-java-8) – Piotr P. Karwasz Mar 08 '21 at 06:44
  • Which version of Tomcat are you using? Since you are using a pre-8.5 configuration syntax, I would guess 8.0 ([unsupported](https://tomcat.apache.org/tomcat-80-eol.html)) or 7.0 ([soon to be unsupported](https://tomcat.apache.org/tomcat-70-eol.html)). That also may influence you security audit. – Piotr P. Karwasz Mar 08 '21 at 07:13
  • We are using tomcat 7.0.82 – Sijo Kurien Mar 08 '21 at 07:44

1 Answers1

1

The sslProtocol configuration protocol does next to nothing: it only specifies which SSLContext to use, but from the perspective of a server this does not restrict anything. Any version of SSLContext sets the default SSL server protocols to the entire list of supported protocols (cf. source code).

Therefore you need to set sslEnabledProtocols="TLSv1.2" (cf. Tomcat documentation) to restrict the accepted protocol versions to only TLS 1.2. You can then test your configuration using curl.

However, if usage of TLS versions less then 1.2 is a security constraint for the whole system (cf. this question) by adding the following line to $JRE_HOME/lib/security/java.security:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1

Warning: this will influence all TLS connections in Java, even those with old databases.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Piotr P. Karwasz Our objective it to convince the client that all TLS versions supported by the jdk is enabled just by setting, "sslProtocol="TLS. So does this mean "sslProtocol="TLSv1.2" has not impact? Also by using curl we are getting Connected to localhost (::1) port 2064 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * skipping SSL peer certificate verification * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA which doesnt not specify what is the protocol used. – Sijo Kurien Mar 08 '21 at 08:29
  • `curl --verbose` tells you which version was selected, but check [the answer I linked to](https://superuser.com/questions/606598/specifying-minor-tls-version-when-using-curl) on how force `curl` to use only a specific version. If you wish to accept all TLS versions `sslProtocol="TLSv1.2"` will work, but the default value should work too (I don't have JRE 7 to test on). – Piotr P. Karwasz Mar 08 '21 at 08:51