Menu
  • HOME
  • TAGS

Securing tomcat7 - Disabling RC4 does not work

Tag: ssl,tomcat7

I'm trying to secure my tomcat 7 setup. I have currently two problems here comes my first one:

I use basically the default configuration, I just extended the ssl configuration to get an A rating on SSL Labs.

My problem is that I want to disable RC4 since it is insecure, so I added the cipher suites which I trust (well it is the list of Mozilla) it ends with !aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK which means AFIK that those algorithm should not been used. But RC4 is still used here is my full configuration (without comments):

<Server port="8005" shutdown="SHUTDOWN">
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JasperListener" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" SSLHonorCipherOrder="true"
               SSLDisableCompression="true" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
               SSLCertificateChainFile="/root/ca.crt"
               SSLCACertificatePath="/etc/ssl/certs"
               keystoreFile="/path/to/keystore" keystorePass="pwd" />
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

If you know what I'm doing wrong please inform me.

Best How To :

You've formatted your cipher suite list as if you were using APR / OpenSSL, but are still configured to use the NIO connector, which will rely on Java to do the connection, and as such needs that format for the cipher list. Put your preferred suites into a comma delimited list (no classes of suites, only explicit configurations), restart, and see if that doesn't resolve it for you.

Oracle Java 8 cipher names can be found here: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html

You can use this connector:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" SSLHonorCipherOrder="true"
           SSLDisableCompression="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           keystoreFile="/path/to/keystore" keystorePass="pwd" />

Problems generating a self-signed 1024-bit X509Certificate2 using the RSA AES provider

c#,.net,ssl,encryption,x509certificate2

The problem is with CryptGenKey function call. In the Algid parameter, you should pass either 0x1 (for RSA key exchange) or 0x2 (RSA digital signature). You don't need other values. And key length value should be 0x4000001 (with exportable key). Also, I noticed that you pass incorrect provider type when...

How to load SSL Certficate in Java

java,ssl

You can use Apache HttpClient (or just use the required classes from it to use SslContextBuilder, really), and then it'd be like so: SSLContextBuilder sslContextBuilder = SSLContextBuilder.create(); sslContextBuilder.loadTrustMaterial(new File("yourTrustStore.jks"), "thePassWord"); SSLContext sslContext = sslContextBuilder.build(); HttpsURLConnection httpsURLConnection = (HttpsURLConnection) (new URL("https://thesite.com").openConnection()); httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); But you need to create a...

Rails, DNSimple, Heroku and SSL - do I need a certificate?

ruby-on-rails,ssl,heroku,dnsimple

I just went through this same scenario. The certificate you see in your herokuapp is the wildcard certificate issued for *.herokuapp.com. If you want to secure a custom domain name http://my-app-name.com, you would need to purchase and install your own wildcard certificate via DNSimple. ...

Roundcube - Nginx does not redirect to .php file automatically

php,ssl,nginx,roundcube

Solved. Here's the configuration that works for me: server { listen 80; server_name example.org; return 301 https://$server_name$request_uri; } server { listen 80; server_name www.example.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl; ssl on; server_name example.org; root /var/www/soon; server_tokens off; ssl_certificate /etc/ssl/certs/example.org.certchain.crt; ssl_certificate_key /etc/ssl/private/example.org.key; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols...

How can i get Certificate issuer information in python?

python,ssl,certificate

Updated answer If you can establish a connection to the remote server you can use the ssl standard library module: import ssl, socket hostname = 'google.com' ctx = ssl.create_default_context() s = ctx.wrap_socket(socket.socket(), server_hostname=hostname) s.connect((hostname, 443)) cert = s.getpeercert() subject = dict(x[0] for x in cert['subject']) issued_to = subject['commonName'] issuer =...

Spring Boot SSL Client

spring,rest,ssl,spring-boot,ssl-certificate

I could not get the above client submitted by Andy to work. I kept getting errors saying that "localhost != clientname". Anyways, I got this to work correctly. import java.io.IOException; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpException; import org.apache.commons.httpclient.URI; import org.apache.commons.httpclient.methods.GetMethod; public class SSLClient { static { System.setProperty("javax.net.ssl.trustStore","c:/apachekeys/client1.jks");...

SecKeyRawVerify verifies on mac but fails with -9809 on iOS

ios,osx,ssl,cryptography,commoncrypto

Well after some experimenting with sign/verify, I've found out that changing padding agreement to SecKeyRawVerify/SecKeyRawSign from kSecPaddingPKCS1SHA1 to kSecPaddingPKCS1, solves my problem. Don't know why it doesn't work with kSecPaddingPKCS1SHA1, there is not deprecations described in Apple's documentation. Also I didn't try this code on iOS different from 8.3 so...

Java 8 , JCE Unlimited Strength Policy and SSL Handshake over TLS

java,ssl,jvm,centos,java-8

Try limiting the protocols to just TLSv1 using: -Djdk.tls.client.protocols=TLSv1 See this page for more details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2 Hope this helps, Yuri...

wget ssl alert handshake failure

ssl,https,wget

It works from here with same OpenSSL version, but a newer version of wget (1.15). Looking at the Changelog there is the following significant change regarding your problem: 1.14: Add support for TLS Server Name Indication. Note that this site does not require SNI. But www.coursera.org requires it. And if...

Getting SSLHandshakeException in java

java,eclipse,ssl,https,digital-certificate

If importing to keystore not resolving your issue.. as i was not able to resolve it. Then add following line of code. It worked for me. System.setProperty( "javax.net.ssl.keyStore", "D:\\G2B.p12" ); // The path to the .p12 file System.setProperty( "javax.net.ssl.keyStorePassword", "****" ); // The password of the p12 file System.setProperty( "javax.net.ssl.keyStoreType",...

Wildcard SSL on several servers - seems OK when tested but red in Chrome

ssl,apache2.4

There are several tools available to test your website having SHA1 or SHA2 certificate. https://www.sha2sslchecker.com/ https://shaaaaaaaaaaaaa.com/ You can also check it manually. Browse site in chrome. Click on the green padlock. Click on "certificate information" under the "connection" tab. Click on "Details" tab where you can find secure hash algorithm:...

How to create a private certificate for connecting to a website

apache,ssl,privatekey,digital-certificate,self-signed

It sounds like you want to use client-side SSL certificates for authentication. The Apache documentation covers this use case in some detail (that's for version 2.4; see here for version 2.2).

Configure Apache web server to perform SSL authentication

linux,apache,security,ssl,xampp

Bitnami developer here, In XAMPP the SSL configuration is located at /opt/lampp/etc/extras/httpd-ssl.conf file, where there is a default VirtualHost already configured in port 443, and you are trying to bind again the same port. Please, try to modify this file instead. You can check if there is any other process...

How do you unblock the 993 port if your firewall settings is blocking it?

php,email,ssl

You can find the answer here which is already asked on Stackoverflow. Make sure that the mailbox you are trying to connect is IMAP. PS. It doesn't look like firewall issue to me...

Wildcard SSL - Which to chose and what is the key differences?

ssl,https,certificate,ssl-certificate

The main things to consider when purchasing a wildcard certificate are: If you want the certificate to support the domain itself (e.g., domain.com) in addition to subdomains (*.domain.com), then make sure that the wildcard vendor you choose supports Subject Alternative Name extension. Before you buy, make sure you know who...

Authenticate with login.microsoftonline.com through PHP cURL (SSL connect error)

php,ssl,curl,dynamics-crm-2015

I suspect it might be an issue with your POST and Host values. Your successfully connecting to login.microsoftonline.com however the next step I believe is your organisation. I haven't played around with this stuff for a while however the values I have look like so:- POST /Organization.svc Host yourorganisation.api.crm5.dynamics.com Obviously...

Meteor mupx ssl configuration is not working, still routing to port 80

javascript,ssl,meteor,docker

You're welcome! I initially forgot to post it here too. We all need recognition when we can get it, thanks. I found this quote somewhere, sounds like a starting point to check...I n your EC2 control panel, look at your instance and note the Security Group that is assigned to...

Particular URL redirect to http if request come from particular host

apache,http,mod-rewrite,ssl,url-rewriting

You should add another RewriteCond to exclude redirect for this IP: RewriteCond %{SERVER_PORT} =80 RewriteCond %{REMOTE_ADDR} !=10.1.2.3 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] ...

Firefox and SSL pages - takes very long on certain sites [closed]

firefox,ssl,browser,ssl-certificate

Don't know why, but I removed the file cert8.db from within the profile folder, now it works again.

How to disable common name check in SSLContext in java?

java,ssl,jersey,jax-rs,ssl-certificate

If I'm understanding you correctly, I think you can accomplish what you are trying to do by implementing a HostnameVerifier, and just returning true in the verify method. You can set up the verifier on the ClientBuilder. For example Client client = ClientBuilder.newBuilder() .sslContext(sslContext) .hostnameVerifier(hostnameVerifier) .build(); ...

Create OpenSSL certificates signed by myself

c++,ssl,boost,openssl,ssl-certificate

Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here...

Apache tomcat issue with Eclipse dynamic web module 3.0

java,spring-mvc,tomcat7

Your problem has nothing to do with eclipse or dynamic web modules in eclipse, except there exists more than one problem. You have a general problem in your spring configuration. You are trying to map '/' via RequestMapping - that does not work even in in Spring MVC 4.1.6 -...

SSL Handshake in Java Servlet (HttpsURLConnection)

java,servlets,ssl

So, whenever SSL connection is established it tries to verify the server name with the host name in certificate. In this case, since it is self signed it may not be having any server name mostly. What you need to do is write a implementation of javax.net.ssl.HostnameVerifier and assign to...

ArgumentError - unknown SSL method `TLSv1_2'

ssl,amazon-s3,carrierwave,fog

Instead of setting it inside the fog_credentials hash, try setting it afterwards on config itself with the following 2 lines: config.fog_authenticated_url_expiration = 600 config.fog_attributes = { ssl_version: :TLSv1_2 } ...

Redirecting http to https

apache,.htaccess,redirect,ssl,https

You can use this in your .htaccess file. Just replace example.com with your domain and all bases should be covered. IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC,OR] RewriteCond %{HTTPS} !^on RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L] </IfModule> ...

Self-signed Certificate and Client Keystore for SSL Authentication

java,ssl,certificate,keystore,keytool

Not an answer yet, but getting too complicated for comments so I'll give a start and edit later. Should (SSL/TLS) server(s) and client(s) share a key (and cert)? Okay for development and maybe test, varies for production. As a general rule every independent system that needs to be authenticated should...

Nginx redirect http subdomains to https

ubuntu,redirect,ssl,nginx,rewrite

Your web server is setup with Strict-Transport-Security max-age=16070400; includeSubdomains. This will tell the web browser to request your domain using https only. If you want the subdomain blog to be accessed through insecure http, you will need to remove includeSubdomains from the HTTP Strict Transport Security (HSTS) and use a...

Tomcat 7 PermGen Space or Failed to Create JVM

java,eclipse,tomcat,tomcat7,permgen

Problem solved : Downloaded a new Tomcat (7.0.62) : https://tomcat.apache.org/download-70.cgi Added Arguments at the launch of my Tomcat : -Xms256m -Xmx512m -XX:MaxPermSize=128m ...

How to make a website work only with https [duplicate]

asp.net,ssl,https

Sure, assuming you are using IIS to host your site, open IIS Manager and select your web site and then binding on the right: make sure you only have a binding for https not for http. This way IIS will only send https traffic to that web site. Edit: What...

Java client certificates and keystores

java,ssl,https,ssl-certificate

My understanding is that if you have to store a certificate with an alias matching the target domain name (in our case i.domain.io or r.domain.io) so java can provide the associated certificate as a client certificate when you are attempting a SSL connection to that domain e.g. https://r.domain.io That's...

SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10

python,python-2.7,ssl,tornado,sni

It is very hard to tell without having ore information about the server, but I'll try: OpenSSL 0.9.8zd 8 Jan 2015 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) You are restricting the protocol to TLS 1.0. It might be that the server expects TLS 1.2 or TLS 1.1 or SSL 3.0. Note that TLS...

Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel

c#,wcf,ssl,windows-services,windows-applications

I found Windows Service's permission settings in Properties window's Log On tab, changed account from Local System to My User Account (Logged In User) and it works like a charm.

Tomcat v7.0 Server at localhost failed to start (Only with specific WebApp)

java,tomcat,tomcat7

Hello You should check your web.xml file because you have 2 servlets DOMServlet and edu.unsw.comp9321.DOMServlet refering to the same url-pattern, if you are not mapping the servlets in the web.xml check in your code the classes anotated with @WebServlet. other important point is that maybe you have a deployed another...

Client certificate authentication

authentication,ssl,https,ssl-certificate,x509

I've to break down your question into two parts. Part one: Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access. If X aquires the client certificate of an authentic client then that's ok....

serving GAE applications over http

java,google-app-engine,ssl

There two things you've missed from docs: Google Cloud Endpoints requires SSL. If you need to access your backend API in a system not supporting SSL, you'll need to either update the system to support SSL or use a proxy. and Google Cloud Endpoints does not support custom domains. See...

How to set up a meteor server on https connection?

ssl,meteor,https

Deploy the app using Meteor Up which have built in SSL support. Or use common web server like Nginx or Apache, setup SSL and reverse proxy back to meteor app. Example: Nginx configuration server { listen 80; server_name www.example.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl ;...

Starting a tls communication with python asyncio

python,ssl

Unfortunately, up to python 3.5 there is not standard way to do it! As of python 3.5, there is a new thing called MemoryBIO within ssl module with which you can wrap your socket for TLS. You have a couple of options here: Use Python traditional (sync) socket and loop.executor...

NPM Error: self signed certificate in certificate chain

ssl,npm,tsd

One little FYI first : if you just want to learn AngularJS, maybe it's not the best way to start with TypeScript. If it's the case for you, try the tutorial on angularjs.org, which use JavaScript and angular-seed. Anyway, if you want to use tsd, you have to edit your...

Subject Alternative Name not present in certificate

ssl,openssl,ssl-certificate

You can use: copy_extensions = copy under your CA_default section in your openssl.cnf. but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?...

Server Authentication in Swift 2.0 & XCode 7 broken

ios,swift,ssl,swift2

Your simulator is most likely running iOS 9 then. In iOS 9, TLS 1.2 is enforced. If you're not using it, your requests will fail. Check out this post for more info. You can bypass it by putting this in your Info.plist: <key>NSAppTransportSecurity</key> <dict> <!--Include to allow all connections (DANGER)-->...

SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?

ssl,encryption

Because it's public-private key encryption, not symmetric encryption. The plaintext is encrypted to cipher text with the public key and decrypted back to the plaintext with the private key. Trying to decrypt that ciphertext with the public key doesn't work.

Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

android,ssl,okhttp,pkcs#12

Apparently, there are two SSLSocketFactory classes. HttpClient has its own one, and that is deprecated along with the rest of HttpClient. However, everybody else will be using the more conventional javax.net.ssl edition of SSLSocketFactory, which is not deprecated (thank $DEITY).

How does DNS server know the IP address of an SSL's URL?

ssl,https,dns

When you enter an URL in your browser the DNS server is asked for the URL's IP first by your system, before even connecting to the server. So SSL is not even in the game at this point. SSL encrypts between the client (e.g. your browser) and the server, but...

Openshift trustwave intermediate ssl cert issue

ssl,https,ssl-certificate,openshift

Ok solve it after lots of searching, and Trustwave still reports it as wrong but all browsers seem to accept it. So I got the main cert file (I was using my-domain.com.pem) copy and paste the contents into a new file (something like combined.pem) then open your intermediate file (chain.cer...

Tomcat support for HTTP/2.0?

tomcat,https,tomcat7,tomcat8,http2

I'm the HTTP/2 implementer in Jetty, and I watch out other projects implementing HTTP/2. Tomcat's Mark Thomas has outlined support for HTTP/2 for Tomcat 9. Considering that Servlet 4.0 is going to have as a target HTTP/2 support, and that HTTP/2 support requires ALPN support in the JDK (which also...

Copied ssl cert to a test site, how do I remove it?

http,ssl,drupal,https,softlayer

https://www.drupal.org/https-information has some information on how to use SSL certs in drupal specifically. Since you didn't provide the actual error your browser is giving you, I'm going to guess its a domain name mismatch error (like this https://www.digicert.com/ssl-support/certificate-name-mismatch-error.htm ). Basically you will either need to access your site via the...

Issue with understanding keystore and ssl

java,android,ssl,encryption

Now he adds the server.cer to the clients-keystore and the clients.cer to the server's keystore. Wrong here. You should add the exported certificate to a truststore in each case. Export from server keystore to client truststore, client keystore to server truststore. That way the client can encrypt the plaintext...

Wildfly mysql with SSL

mysql,ssl,wildfly

You will need to add the certificate to keystore to make an SSL connection.You can refer to the following links. Install SSL Certificate Create KEYSTORE-File from existing SSL-Certificate Then you can create a datasource with a SSL URL as demonstrated in the below sample in standalone.xml file. <datasource jndi-name="java:jboss/datasources/dbname" pool-name="poolname">...

ssl certificate with and without www

apache,ssl

Usually, registries create certificates for your hostname and the domain above (see https://en.wikipedia.org/wiki/SubjectAltName). If the registry does not support this, than choose a different one.

Websocket SSL connection

javascript,node.js,ssl,websocket

The https module is rejecting your self-signed cert (as one would hope). You can force it to stop checking by passing a rejectUnauthorized: false option (which WebSocket will pass down to https): var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449', rejectUnauthorized: false }); ...