I want to know if Apache Tomcat supports TLS v1.2 protocol. I didn't find any documentation about this! Thanks!
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
TLS version 1.2 is supported by the Oracle JDK version 7, in the JSSE implementation. As Tomcat uses JSSE as underlying SSL library, it should be supported from JDK version 1.7 onwards. Also check your enabled SSL cipher suites in Tomcat.
If you are using Apache as a proxy, please check the Apache and underlying OpenSSL documentation.
Some links:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html (Java SE 7 Security Enhancements)
回答2:
I have a similar use case, which is to enable Tomcat 7 to strictly use only TLSv1.2, not to fall back to earlier SSL protocols such as TLSv1.1 or SSLv3. The following steps will answer how to enable Tomcat to support TLSv1.2.
I am using: C:\apache-tomcat-7.0.64-64bit and C:\Java64\jdk1.8.0_60.
Following this instruction: https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html. Tomcat is relatively simple to setup SSL support.
From many references I tested many combination, finally I found 1 which will enforce Tomcat 7 to accept TLSv1.2 only. 2 places needed to touch:
1) In C:\apache-tomcat-7.0.64-64bit\conf\server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="ssl/.keystore" keystorePass="changeit" clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" /> where
keystoreFile = local self-signed trust store
org.apache.coyote.http11.Http11Protocol = JSSE BIO implementation.
We don't use org.apache.coyote.http11.Http11AprProtocol, because it is powered by openssl. The underlying openssl will fall back to support earlier SSL protocols.
2) When start up Tomcat, enable the following environment parameters.
set JAVA_HOME=C:\Java64\jdk1.8.0_60 set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2" JAVA_OPTS restriction is required, otherwise Tomcat (which is powered by Java8) will fall back to support earlier SSL protocols.
Start up Tomcat C:\apache-tomcat-7.0.64-64bit\bin\startup.bat
We can see JAVA_OPTS appears in Tomcat startup log.
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2 Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dhttps.protocols=TLSv1.2 Then, we can use openssl command to verify our setup. First connect localhost:8443 with TLSv1.1 protocol. Tomcat refuses to reply with Server certificate.
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1 Loading 'screen' into random state - done CONNECTED(000001C0) 5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 0 bytes Connect localhost:8443 with TLSv1.2 protocol, Tomcat replies ServerHello with certificate:
C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2 Loading 'screen' into random state - done CONNECTED(000001C0) depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com 1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com --- Server certificate -----BEGIN CERTIFICATE----- (ignored) -----END CERTIFICATE----- subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2367 bytes and written 443 bytes This proves that Tomcat now strictly respond to TLSv1.2 request only.
回答3:
As mentioned by others, Tomcat supports TLSv1.2 via the JSSE in JDK 7+.
Tomcat does NOT support TLSv1.1 or TLSv1.2 when used with Tomcat Native (APR). See https://issues.apache.org/bugzilla/show_bug.cgi?id=53952.
Update: looks like TLSv1.2 will finally be supported in Tomcat Native 1.1.32 and Tomcat 8.0.15/7.0.57.
回答4:
I was also looking to upgrade sslProtocol to TLSv1.1 and as mentioned in the below links on Java6 and Java7
Java6 http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html Java7 http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
The SSLContext supported in Java6 are SSL, TLSv1 and in Java7 SSL, TLSv1, TLSv1.1 and TLSv1.2 are supported.
So, to enable TLSv1.1 or TLSv1.2 in tomcat, just upgrade to Java7 and change the sslProtocol in Connector in server.xml of tomcat.