[ngw] Disable TLS 1.0 and 1.1 on WebAccess / Windows

Marvin Huffaker mhuffaker at redjuju.com
Mon Mar 25 10:17:08 UTC 2019


I found the problem/solution from a forum posting somewhere out there. 
It seems so simple.  The syntax I had been testing was correct but the
location was wrong.  The TLS version directives go into the
"SSLHostConfig" section not the connector or other places where I had
attempted before.. This is my exact working config file:

    <Connector port="443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
			   maxThreads="150" SSLEnabled="true" >
	    <UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
	    <SSLHostConfig protocols="TLSv1.2">
		    <Certificate
certificateKeyFile="e:\certs\mail.xxxxxxxxxxxxxxxx.com.key"
						
certificateFile="e:\certs\mail_xxxxxxxxxxxxxxxxxx_com.crt"
						
certificateChainFile="e:\certs\My_CA_Bundle.ca-bundle.crt"
						 type="RSA" />
	    </SSLHostConfig>
    </Connector>


With this I get the following results from the SSL Labs Test, which is
what I was going for:


Protocols
TLS 1.3No
TLS 1.2Yes
TLS 1.1No
TLS 1.0No
SSL 3No

>>> Matt Weisberg <matt at weisberg.net> 2/22/2019 2:57 PM >>>

That example was taken directly from a production environment using
Tomcat 9.

Yes, the method of storing/reading the certs is different when you are
using NIO vs. APR (and actually you shouldn't even use a JKS any more
with NIO, you should just use a PKCS#12 file directly now, JKS is
deprecated).

The significant difference is which SSL libraries are being used in NIO
vs. APR.  I've tried to find some stuff on it, and APR does allow you
more advanced tuning capabilities, but from what I can tell, that
doesn't matter much for most of us.

I agree that the documentation surrounding Tomcat configuration is a
sloppy mess.  I just do what I know works until I have a reason to
change I guess!

Trying NIO certainly wouldn’t hurt! But I'd say just use a PKCS#12 file
for the cert instead of a Java Keystore.

Matt


-- 
Matt Weisberg
Weisberg Consulting, Inc.
matt at weisberg.net
www.weisberg.net
ofc. 248.685.1970
cell 248.705.1950
fax 248.769.5963

On 2/22/19, 3:46 PM, "ngw-bounces+matt=weisberg.net at ngwlist.com on
behalf of Marvin Huffaker" <ngw-bounces+matt=weisberg.net at ngwlist.com on
behalf of mhuffaker at redjuju.com> wrote:

    The interesting thing in your syntax is that you're specifying the
    ciphers you want to use.    In the GroupWise implementation, no
ciphers
    are specified at all. There's not even a directive for it anywhere
in
    the configuration.   Normally by default I would expect to have a
pile
    of ciphers, yet it is only using some of the better ciphers.  I
don't
    show any weak ciphers used at all.  So I do not know if that is
just a
    default of Tomcat 9 or if that is something configured elsewhere,
that I
    cannot locate.
    
    Also in your syntax (And in the syntax of the tomcat
documentation),  
    you only have a "CONNECTOR" block.  All your directives and options
are
    within that block.  In the GroupWise implementation, there are
subblocks
    for the HostConfig and the SSL Certificate.
    
    Based on what I have read and can ascertain, the NIO method you
use
    utilizes the Tomcat Keystore while the APR method uses standard
PEM
    certificate files.   The GroupWise configuration starts with a
default
    NIO method and the keystore, but to use 3rd Party certificates they
tell
    you to REM that out and use the APR directives with the certificate
file
    paths and names.
    
    But even with that TID, if you really read in between the lines,
the
    author does not fully understand why or how each method is used,
and
    that further complicates the matter.  Reference this tid: 
    https://support.microfocus.com/kb/doc.php?id=7022859

    
    I suppose I could try to import my certificates into the Keystore
and
    try using the NIO method instead.  
    
    
    Marvin
    >>> Matt Weisberg <matt at weisberg.net> 2/22/2019 9:36 AM >>>
    
    You may want to start looking at the headers using something like
    Fiddler.  It does sound like something else is going on.
    
    Honestly, I use Tomcat all the time directly for other products
and
    projects and I do TLS 1.2  only all the time and never ever have
issues
    restricting this.
    
    I think it has got to be at least 10 years since I tried this on a
    Windows server.  
    
    This is a fairly typical setup I'll use on SuSE or RedHat for
Tomcat:
    
    
	    <Connector port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
 				  maxThreads="150" SSLEnabled="true"
    scheme="https" secure="true"
 				  clientAuth="false"
sslProtocol="TLSv1.2"
    sslEnabledProtocols="TLSv1.2"
 				  useServerCipherSuitesOrder="true"
 				 
   
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH
    E_RSA_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_C
    BC_SHA" 
 				 
keystoreFile="/somepath/tomcat.keystore"
 				  keystorePass="somepassword"
    keyAlias="tomcat"
 		   />
    
    
    That setup passes the security scanners.  Do note that is using
NIO,
    not APR.  
    
    Matt
    
    
    -- 
    Matt Weisberg
    Weisberg Consulting, Inc.
    matt at weisberg.net
    www.weisberg.net
    ofc. 248.685.1970
    cell 248.705.1950
    fax 248.769.5963
    
    On 2/21/19, 8:16 PM, "ngw-bounces+matt=weisberg.net at ngwlist.com on
    behalf of Marvin Huffaker"
<ngw-bounces+matt=weisberg.net at ngwlist.com on
    behalf of mhuffaker at redjuju.com> wrote:
    
	    That made no difference. It seems as if every directive I
use is
	    ignored. It's like something else is taking precedence but I
can't
    find
	    it. I gave up and opened an SR, hoping Micro Focus engineers
can
    help.
	    
	    I never do this on Windows either. On Linux it's all managed
with
	    Apache and pretty straight forward.  This combo
Apache/Tomcat on
    Windows
	    is really throwing me for a loop.
	    
	    
	    Marvin
	    >>> Matt Weisberg <matt at weisberg.net> 2/21/2019 9:19 AM >>>
	    
	    
	    For most workloads, it really doesn’t matter.  JSEE NIO uses
the
    SSL in
	    the JVM and APR uses OpenSSL directly from what I
understand.  I
    never
	    do this on Windows servers, so there may be a reason to pick
APR
    on
	    Windows, not sure.
	    
	    But honestly, it really doesn't matter much for this
workload so I
	    would do whatever works.
	    
	    Did using the protocols= change the behavior at all?
	    
	    Matt
	    
	    
	    -- 
	    Matt Weisberg
	    Weisberg Consulting, Inc.
	    matt at weisberg.net
	    www.weisberg.net
	    ofc. 248.685.1970
	    cell 248.705.1950
	    fax 248.769.5963
	    
	    On 2/21/19, 10:50 AM,
"ngw-bounces+matt=weisberg.net at ngwlist.com
    on
	    behalf of Marvin Huffaker"
    <ngw-bounces+matt=weisberg.net at ngwlist.com on
	    behalf of mhuffaker at redjuju.com> wrote:
	    
 		   Honestly I don't even know the difference between
the
    connectors
	    and
 		   until yesterday didn't know there were multiple
connectors.
    I don't
	    dig
 		   into Tomcat configs very often, and I was just trying
to use
    what
	    Micro
 		   Focus provided and tweak it to meet my needs.
 		   
 		   thank you.
 		   
 		   Marvin
 		   
 		   >>> Matt Weisberg <matt at weisberg.net> 2/20/2019 10:30
PM
    >>>
 		   
 		   I just realized you are using the APR connector and
all the
	    examples I
 		   have are using JSSSE NIO connector.  That may be why
you
    are
	    getting
 		   confused with the settings because they are
different.
 		   
 		   I'll have to look around and see if I have one that
uses
    APR.  I
	    don't
 		   even think sslProtocol is valid with APR, I think it
is
    just
 		   protocols="TLSv1.2" (I think sslEnabledProtocols is
also not
    valid
	    for
 		   APR).  Have you tried just protocols="TLSv1.2" ?
 		   
 		   I think this format is valid too:
 		   
 		   protocols="-all,+TLSv1.2"
 		   
 		   
 		   
 		   Matt
 		   
 		   
 		   -- 
 		   Matt Weisberg
 		   Weisberg Consulting, Inc.
 		   matt at weisberg.net
 		   www.weisberg.net
 		   ofc. 248.685.1970
 		   cell 248.705.1950
 		   fax 248.769.5963
 		   
 		   On 2/20/19, 9:34 PM,
    "ngw-bounces+matt=weisberg.net at ngwlist.com on
 		   behalf of Marvin Huffaker"
	    <ngw-bounces+matt=weisberg.net at ngwlist.com on
 		   behalf of mhuffaker at redjuju.com> wrote:
 		   
	 		   Matt, Thank you.  I believe that's one of the
options
    I
	    tried
 		   first, and
	 		   I still can't get it to work.  When I run an
SSLLabs
    test I
	    still
 		   show
	 		   that TLS 1.0 and 1.1 are enabled..
	 		   
	 		   Protocols
	 		   TLS 1.3    No
	 		   TLS 1.2    Yes
	 		   TLS 1.1    Yes
	 		   TLS 1.0    Yes
	 		   SSL 3    No
	 		   SSL 2    No
	 		   
	 		   Furthermore, using this link as a reference:
	 		  
    https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html  The

    
	    syntax
	    
 		   and
 		   
	 		   blocks shown are completely different than
how they
    are laid
	    out in
 		   the
	 		   GroupWise server.xml file that's installed. 
I tried
	    modeling
 		   their
	 		   commands instead and the service failed to
load
    completely.
	 		   
	 		   The example shows that the sslProtocol
directive is
    in the
 		   "Connector"
	 		   block but I can't get it to load when I put
in there.
    And
	    there
 		   are
	 		   various sub-blocks in the GroupWise config
not in
    the
	    example. 
	 		   
	 		   Do you have a working configuration that you
could
    show
	    your
 		   entire
	 		   configuration?
	 		   
	 		   Marvin
	 		   
	 		   >>> Matt Weisberg <matt at weisberg.net>
2/20/2019 1:33
    PM >>>
	 		   
	 		   Change your  SSLProtocol to:
	 		   
	 		   sslProtocol="TLSv1.2"
	 		   
	 		   
	 		   
	 		   -- 
	 		   Matt Weisberg
	 		   Weisberg Consulting, Inc.
	 		   matt at weisberg.net
	 		   www.weisberg.net
	 		   ofc. 248.685.1970
	 		   cell 248.705.1950
	 		   fax 248.769.5963
	 		   
	 		   On 2/20/19, 12:14 PM,
	    "ngw-bounces+matt=weisberg.net at ngwlist.com
 		   on
	 		   behalf of Marvin Huffaker"
 		   <ngw-bounces+matt=weisberg.net at ngwlist.com on
	 		   behalf of mhuffaker at redjuju.com> wrote:
	 		   
 	 			  Does anybody know how to disable TLS
1.0 and
    TLS 1.1
	    on the
	 		   ApacheTomcat modules?  GroupWise 18.1 running
on
    Windows
	    Server
 		   with the
	 		   apache Tomcat 9 module that GroupWise
installs.  My
    goal is
	    to only
 		   have
	 		   TLS 1.2 enabled.
 	 			  
 	 			  I've looked at numerous online
examples and
	    configurations,
 		   it
	 		   appears that the syntax has changed over the
various
	    versions of
 		   Tomcat.
 	 		   The Tomcat 9 reference lists the directives
and I've
    applied
	    it
 		   to the
	 		   current configuration but can't get anything
to work.
	 My
 		   understanding
	 		   is that if you specify a protocol, only that
protocol
    will
	    be
 		   enabled. 
	 		   I've copied / pasted examples verbatim and it
makes
    no
	    difference.
 		   Is
	 		   there somewhere else that is overriding this
    configuration?
 	 			  
 	 			  This is my server.xml file:
 	 			  
 	 			  
 	 	 			  <Connector port="443"
	 		  
    protocol="org.apache.coyote.http11.Http11AprProtocol"
 	 	 					   
    maxThreads="150"
 		   SSLEnabled="true" >
 	 	 				 <UpgradeProtocol
	 		  
className="org.apache.coyote.http2.Http2Protocol" />
 	 	 				 <SSLHostConfig>
 	 	 					 <Certificate
	 		  
 		  
	   
   
certificateKeyFile="C:\Novell\GroupWise\Tomcat\certs\mail.xxxxxxx.com.key"
 	 	 							
  
	 
	 		  
 		  
	   
   
certificateFile="C:\Novell\GroupWise\Tomcat\certs\mail.xxxxxxxx_com.crt"
 	 	 							
  
	 
	 		  
 		  
	   
   
certificateChainFile="C:\Novell\GroupWise\Tomcat\certs\My_CA_Bundle.ca-bundle"
 	 	 							
  
	 
	    type="RSA"
	 		   SSLProtocol="SSL"
SSLEnabledProtocols="TLSv1.2"/>
 	 	 				 </SSLHostConfig>
	 	 			  </Connector>
 	 			  
 	 			  Thanks.
 	 			  
 	 			  Marvin
 	 			  
	 		   
	 		  
_______________________________________________
	 		   ngw mailing list
	 		   ngw at ngwlist.com
	 		   http://ngwlist.com/mailman/listinfo/ngw

    
	    
 		   
	 		   
	 		   
 		   
 		   _______________________________________________
 		   ngw mailing list
 		   ngw at ngwlist.com
 		   http://ngwlist.com/mailman/listinfo/ngw

    
	    
 		   
 		   
	    
	    _______________________________________________
	    ngw mailing list
	    ngw at ngwlist.com
	    http://ngwlist.com/mailman/listinfo/ngw

    
	    
	    
    
    _______________________________________________
    ngw mailing list
    ngw at ngwlist.com
    http://ngwlist.com/mailman/listinfo/ngw

    
    

_______________________________________________
ngw mailing list
ngw at ngwlist.com
http://ngwlist.com/mailman/listinfo/ngw



More information about the ngw mailing list