Tomcat Server Configuration [Server.xml] - Yash-777/LearnJava GitHub Wiki
- Tomcat container managed security
-
Self signed certificates for the TLS communication
Java Cryptography Extension (JCE) provider
Secure Sockets Layer (SSL) Protocol Overview
TCP/IP Layer | Protocol |
---|---|
Application Layer | HTTP, NNTP, Telnet, FTP, and so on |
Secure Sockets Layer | SSL |
Transport Layer | TCP |
Internet Layer | IP |
- http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
- https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
- https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig
SSLProtocol : The names of the protocols to support when communicating with clients. This should be a list of any combination of the following:
SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
all
protocols SSLv2Hello Note that SSLv2Hello will be ignored for OpenSSL based secure connectors. If more than one protocol is specified for an OpenSSL based secure connector it will always support SSLv2Hello. If a single protocol is specified it will not support SSLv2Hello.
SSL/TLS and Tomcat
Tomcat is able to use any of the the cryptographic protocols that are provided by the underlying environment. Java itself provides cryptographic capabilities through JCE/JCA and encrypted communications capabilities through JSSE. Any compliant cryptographic "provider" can provide cryptographic algorithms to Tomcat. The built-in provider (SunJCE) includes support for various SSL/TLS versions like SSLv3, TLSv1, TLSv1.1, and so on.
General Tips on Running SSL
When securing a website with SSL it's important to make sure that all assets that the site uses are served over SSL, so that an attacker can't bypass the security by injecting malicious content in a javascript file or similar. To further enhance the security of your website, you should evaluate to use the HSTS header. It allows you to communicate to the browser that your site should always be accessed over https.
Using name-based virtual hosts on a secured connection requires careful configuration of the names specified in a single certificate or Tomcat 8.5 onwards where Server Name Indication (SNI) support is available. SNI allows multiple certificates with different names to be associated with a single TLS connector.
sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA" sslEnabledProtocols="TLSv1"
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
keystoreFile="conf\store\tomcat.keystore" enableLookups="true"
keystorePass="password" sslProtocol = "TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" server="Apache Tomcat" />
Configuring OCSP Connector (Apache Portable Runtime (APR) based Native library for Tomcat
)
<!--
/yash/tomcat/tomcat-keystore
yash777.github.com
Version:3
Subject:CN=yash777.github.com,O=github,C=IN
Issuer: CN=github V1,O=github,C=IN
Algorithum: SHA256WITHRSA
-->
<Connector port="7775" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="/yash/tomcat/tomcat-keystore" keystorePass="changeit"
type="RSA" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"
/>
</SSLHostConfig>
</Connector>