Testing all 121 locally available ciphers against the server, ordered by encryption strength I wanted to add my proposal of the cipher list in the server.xml which will result in the following list of ciphers that are offered by the server: HTTP2/ALPN Local problem: /usr/bin/openssl doesn't support HTTP2/ALPN Version tolerance downgraded to TLSv1.2 (OK) Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) No engine or GOST support via engine with your /usr/bin/openssl Yes, the correct settings should grep ssl.*Prot /etc/tomcat/server.xml In contrast, setting the cipher list on the same connector was correctly picked by tomcat. Still, tomcat did not pick the change and kept offering TLSv1.1 and TLSv1.0. I also tried replacing 'sslProtocols' with 'sslProtocol' (singular) as this is the correct keyword. var/log/catalina.log says: WARNING: Setting property 'sslProtocols' to 'TLSv1.2,TLSv1.1,TLSv1' did not find a matching property. | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong TLSv1.0 and TLSv1.1 and TLSv1.2 are still offered: # nmap -script +ssl-enum-ciphers localhost -p 8443 Change sslProtocols from "TLSv1.2,TLSv1.1,TLSv1" to simply "TLSv1.2"Ĥ. Open /etc/tomcat/server.xml and edit the 8443 connector settingsĢ. Version-Release number of selected component (if applicable): In contrast, modifying the cipher list on the same file applies just as expected. I want to offer TLSv1.1 and TLSv1.2 only and I modify /etc/tomcat/server.xml accordingly but it does not pick up. Tomcat as used by Candlepin ignores the sslProtocol setting. In my opinion, the workaround should be reverted since it comes from a misinterpretation.+++ This bug was initially created as a clone of Bug #1477666 +++ Interestingly, I'm referring to Tomcat 7 hosted Servlet documentation: This is no surprise, according to ::getServletPath():Ī String containing the name or path of the servlet being called, as specified in the request URL, decoded, or an empty string if the servlet used to process the request is matched using the "/*" pattern. otherwise (with /*) ::doFilter() works with an empty path, with the effect that my browser faces a infinite redirect loop. INFO: Deploying configuration descriptor ROOT.xml from / var /lib/tomcat/conf/Catalina/localhostġ27.0.0.1 - z "GET /manager/html/ HTTP/1.1" 200 11308ġ27.0.0.1 - "GET /hudson HTTP/1.1" 302 -ġ27.0.0.1 - "GET /hudson/ HTTP/1.1" 404 982Īdded a comment - 06:34 - edited Using a proxied Winstone with Security Realm set to "Delegate to servlet container", I had to restore: INFO: Deploying configuration descriptor hudson.xml from / var /lib/tomcat/conf/Catalina/localhost INFO: Deploying configuration descriptor manager.xml from / var /lib/tomcat/conf/Catalina/localhost I'v set log level to ALL, there are tomcat logs: I'm just unable to open its web interface (HTTP 404 NOT FOUND). For example it creates files and directories in its homedir. INFO: Stopping Coyote AJP/1.3 on ajp-8009Īdded a comment - 11:15 One new important observation: In fact hudson starts. INFO: Stopping Coyote HTTP/1.1 on http-8080Ħ:55:36 PM .AjpAprProtocol destroy INFO: Pausing Coyote HTTP/1.1 on http-8080Ħ:55:35 PM .AjpAprProtocol pauseĦ:55:36 PM .StandardService stopInternalĦ:55:36 PM 11.Http11AprProtocol destroy INFO: HTMLManager: list: Listing contexts for virtual host 'localhost'Ħ:55:35 PM 11.Http11AprProtocol pause INFO: HTMLManager: init: Global resources are available
INFO: HTMLManager: init: Associated with Deployer 'Catalina:type=Deployer,host=localhost' INFO: Starting Coyote AJP/1.3 on ajp-8009Ħ:54:52 PM .Catalina startĦ:55:00 PM .ApplicationContext log INFO: Initializing Coyote AJP/1.3 on ajp-8009Ħ:54:52 PM .AjpAprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080Ħ:54:52 PM .AjpAprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080Ħ:54:52 PM 11.Http11AprProtocol start INFO: Deploying configuration descriptor ROOT.xml from / var/lib/tomcat/conf/Catalina/localhostĦ:54:52 PM 11.Http11AprProtocol init INFO: Deploying configuration descriptor hudson.xml from / var/lib/tomcat/conf/Catalina/localhostĦ:54:52 PM .HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml from / var/lib/tomcat/conf/Catalina/localhost INFO: Starting Servlet Engine: Apache Tomcat/7.0.0-RC4Ħ:54:51 PM .HostConfig deployDescriptor Ħ:54:51 PM .Catalina loadĦ:54:51 PM .StandardService startInternalĦ:54:51 PM .StandardEngine startInternal INFO: APR capabilities: IPv6, sendfile, accept filters, random. INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
0 kommentar(er)
