Re: https://bz.apache.org/bugzilla/show_bug.cgi?id=55707 in tomcat

Fri, 09 Jul 2021 06:33:24 -0700 

On 09/07/2021 15:15, Christopher Schultz wrote:

Jean-Ferderic,

On 7/9/21 07:55, jean-frederic clere wrote:

On 09/07/2021 12:38, Mark Thomas wrote:

On 09/07/2021 11:08, jean-frederic clere wrote:

Hi,

I think we need the same fix in tomcat or I missed something?

If we need it I will work on it next week ;-)
To clarify, you mean checking Tomcat can (and implementing if it can't) the ability to configure supported SSL protocols per virtual host. 

Yes.
We should have most of this in SSLHostConfig but I don't recall ever testing this behaviour specifically.
Just as a reminder, both <Host .../> elements and <SSLHostConfig .../> are likely to be required as the are configured separately.
Quick test and code review seems to show it is not working (I tested the apr connector and 9.0.x). 

Can you post a sample config?

I assume you mean:

1. Define two <Host>, configure for TLS
   a. One attempting to use e.g. only TLSv1
   b. One attempting to use e.g. only TLSv1.2

2. Run a protocol-checker against both hosts
Result is that host (a) supports not-only TLSv1 and/or host (b) supports not-only TLSv1.2?
Yes that is what I am testing, actually Nio and Nio2 are working Apr isn't... 

The configuration is something like:
+++
   <Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
              port="8443" maxThreads="200"
              scheme="https" secure="true" SSLEnabled="true">
              <SSLHostConfig protocols="TLSv1.1">
              <Certificate
                 certificateFile="conf/localhost.server.cert.pem"

certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
              </SSLHostConfig>
              <SSLHostConfig hostName="server1" protocols="TLSv1.2">
              <Certificate
                 certificateFile="conf/localhost.server.cert.pem"

certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
              </SSLHostConfig>
              <SSLHostConfig hostName="server2" protocols="TLSv1.3">
              <Certificate
                 certificateFile="conf/localhost.server.cert.pem"

certificateKeyFile="conf/localhost.server.nopass.key.pem"/>
              </SSLHostConfig>
   </Connector>
+++
and I have the 3 corresponding <Host/>




-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




--
Cheers

Jean-Frederic


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to