Does Tomcat support TLS v1.2?

web-services apache security tomcat ssl
100,152

Solution 1

TLS version 1.2 is supported by the Oracle JDK version 7, in the JSSE implementation. As Tomcat uses JSSE as underlying SSL library, it should be supported from JDK version 1.7 onwards. Also check your enabled SSL cipher suites in Tomcat.

If you are using Apache as a proxy, please check the Apache and underlying OpenSSL documentation.

Some links:

http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html (Java SE 7 Security Enhancements)

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Solution 2

I have a similar use case, which is to enable Tomcat 7 to strictly use only TLSv1.2, not to fall back to earlier SSL protocols such as TLSv1.1 or SSLv3. The following steps will answer how to enable Tomcat to support TLSv1.2.

I am using: C:\apache-tomcat-7.0.64-64bit and C:\Java64\jdk1.8.0_60.

Following this instruction: https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html. Tomcat is relatively simple to setup SSL support.

From many references I tested many combination, finally I found 1 which will enforce Tomcat 7 to accept TLSv1.2 only. 2 places needed to touch:

1) In C:\apache-tomcat-7.0.64-64bit\conf\server.xml

<Connector port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="ssl/.keystore" keystorePass="changeit"
 clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" />

where

keystoreFile = local self-signed trust store

org.apache.coyote.http11.Http11Protocol = JSSE BIO implementation.

We don't use org.apache.coyote.http11.Http11AprProtocol, because it is powered by openssl. The underlying openssl will fall back to support earlier SSL protocols.

2) When start up Tomcat, enable the following environment parameters.

set JAVA_HOME=C:\Java64\jdk1.8.0_60
set PATH=%PATH%;C:\Java64\jdk1.8.0_60\bin
set CATALINA_HOME=C:\apache-tomcat-7.0.64-64bit
set JAVA_OPTS=-Djdk.tls.client.protocols="TLSv1.2" -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dhttps.protocols="TLSv1.2"

JAVA_OPTS restriction is required, otherwise Tomcat (which is powered by Java8) will fall back to support earlier SSL protocols.

Start up Tomcat C:\apache-tomcat-7.0.64-64bit\bin\startup.bat

We can see JAVA_OPTS appears in Tomcat startup log.

Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Djdk.tls.client.protocols=TLSv1.2
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dsun.security.ssl.allowUnsafeRenegotiation=false
Oct 16, 2015 4:10:17 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Command line argument: -Dhttps.protocols=TLSv1.2

Then, we can use openssl command to verify our setup. First connect localhost:8443 with TLSv1.1 protocol. Tomcat refuses to reply with Server certificate.

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_1
Loading 'screen' into random state - done
CONNECTED(000001C0)
5372:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes

Connect localhost:8443 with TLSv1.2 protocol, Tomcat replies ServerHello with certificate:

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(000001C0)
depth=1 C = US, ST = Washington, L = Seattle, O = getaCert - www.getacert.com
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
1 s:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
   i:/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
(ignored)
-----END CERTIFICATE-----
subject=/C=SG/ST=SG/L=Singapore/O=Xxxx/OU=Development/CN=Myself
issuer=/C=US/ST=Washington/L=Seattle/O=getaCert - www.getacert.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2367 bytes and written 443 bytes

This proves that Tomcat now strictly respond to TLSv1.2 request only.

Solution 3

As mentioned by others, Tomcat supports TLSv1.2 via the JSSE in JDK 7+.

Tomcat does NOT support TLSv1.1 or TLSv1.2 when used with Tomcat Native (APR). See https://issues.apache.org/bugzilla/show_bug.cgi?id=53952.

Update: looks like TLSv1.2 will finally be supported in Tomcat Native 1.1.32 and Tomcat 8.0.15/7.0.57.

Solution 4

I was also looking to upgrade sslProtocol to TLSv1.1 and as mentioned in the below links on Java6 and Java7

Java6 http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html Java7 http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

The SSLContext supported in Java6 are SSL, TLSv1 and in Java7 SSL, TLSv1, TLSv1.1 and TLSv1.2 are supported.

So, to enable TLSv1.1 or TLSv1.2 in tomcat, just upgrade to Java7 and change the sslProtocol in Connector in server.xml of tomcat.

Share:
100,152

Related videos on Youtube

observer
Author by

observer

Updated on July 05, 2022

Comments

  • observer
    observer almost 2 years

    I want to know if Apache Tomcat supports TLS v1.2 protocol. I didn't find any documentation about this! Thanks!

    • user207421
      user207421 over 8 years
      Tomcat doesn't support TLS at all. It is either Java (via JSSE) or OpenSSL that supports it. Which version of TLS they support depends on which version they are. Your question is ill-formed.
  • observer
    observer about 12 years
    Thank you very much! I finally got the TLS v1.2 on Tomcat using JSSE configuration.
  • Ashish
    Ashish almost 12 years
    could you please let me know what all you changed for that, I tried specifying sslProtocol="TLSv1.1" in connector but that didn't work.
  • Christopher Schultz
    Christopher Schultz over 4 years
    Don't forget that Tomcat can use OpenSSL either via the OpenSSL-JSSE provider, or by using the APR connector with OpenSSL. When using OpenSSL, you can use whatever protocols it supports. Alternatively, you can use another crypto provider such as BouncyCastle.
  • Christopher Schultz
    Christopher Schultz over 4 years
    @ashish Specifying sslProtocol=TLSv1.1 doesn't work because you need to use sslEnabledProtocols instead.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Big error about data type not supported in JAX-RPC specification using Eclipse
Why do I get browser warnings on my new lets encrypt ssl setup?
Tomcat behind Apache and SSL
Apache HTTP Client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Configure Apache SSL and then redirect to Tomcat with mod_jk
How to get multipartentity from httpservletrequest
Using Apache httpclient for https
Error during SSL Handshake with remote server
how to enable TLS_FALLBACK_SCSV on apache
Tomcat Connector Matching Property Warning