Author: kkolinko
Date: Wed Dec 10 03:11:00 2014
New Revision: 1644321
URL: http://svn.apache.org/r1644321
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=57238
Updated SSL/TLS information for Tomcat 8/9
Patch by Glen Peterson
Modified:
tomcat/trunk/webapps/docs/index.xml
tomcat/trunk/webapps/docs/project.xml
tomcat/trunk/webapps/docs/security-howto.xml
tomcat/trunk/webapps/docs/ssl-howto.xml
Modified: tomcat/trunk/webapps/docs/index.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/index.xml?rev=1644321&r1=1644320&r2=1644321&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/index.xml (original)
+++ tomcat/trunk/webapps/docs/index.xml Wed Dec 10 03:11:00 2014
@@ -91,10 +91,9 @@ Apache Tomcat, and using many of the Apa
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
- Information about Jasper configuration, as well as the JSP compiler
usage.</li>
-<li><a href="ssl-howto.html"><strong>SSL</strong></a> -
- Installing and
- configuring SSL support so that your Apache Tomcat will serve requests
using
- the <code>https</code> protocol.</li>
+<li><a href="ssl-howto.html"><strong>SSL/TLS</strong></a> -
+ Installing and configuring SSL/TLS support so that your Apache Tomcat will
+ serve requests using the <code>https</code> protocol.</li>
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
Using Server Side Includes in Apache Tomcat.</li>
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
Modified: tomcat/trunk/webapps/docs/project.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/project.xml?rev=1644321&r1=1644320&r2=1644321&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/project.xml (original)
+++ tomcat/trunk/webapps/docs/project.xml Wed Dec 10 03:11:00 2014
@@ -47,7 +47,7 @@
href="jndi-datasource-examples-howto.html"/>
<item name="10) Classloading" href="class-loader-howto.html"/>
<item name="11) JSPs" href="jasper-howto.html"/>
- <item name="12) SSL" href="ssl-howto.html"/>
+ <item name="12) SSL/TLS" href="ssl-howto.html"/>
<item name="13) SSI" href="ssi-howto.html"/>
<item name="14) CGI" href="cgi-howto.html"/>
<item name="15) Proxy Support" href="proxy-howto.html"/>
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1644321&r1=1644320&r2=1644321&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Wed Dec 10 03:11:00 2014
@@ -265,11 +265,27 @@
proxy uses AJP then the SSL attributes of the client connection are
passed via the AJP protocol and separate connectors are not needed.</p>
+ <p>The <strong>sslEnabledProtocols</strong> attribute determines which
+ versions of the SSL/TLS protocol are used. Since the POODLE attack in
+ 2014, all SSL protocols are considered unsafe and a secure setting for
+ this attribute in a standalone Tomcat setup might be
+ <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
+
<p>The <strong>ciphers</strong> attribute controls the ciphers used for
SSL connections. By default, the default ciphers for the JVM will be
used.
This usually means that the weak export grade ciphers will be included in
the list of available ciphers. Secure environments will normally want to
- configure a more limited set of ciphers.</p>
+ configure a more limited set of ciphers. This attribute accepts the
+ <a href="https://www.openssl.org/docs/apps/ciphers.html"; target="_blank"
+ rel="nofollow">
+ OpenSSL syntax</a> for including/excluding cipher suites.
+ As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy
+ can be achieved by specifying only TLS protocols using
+ the sslEnabledProtocols attribute (above) and excluding non-DH ciphers,
+ and weak/broken ciphers. The
+ <a href="https://www.ssllabs.com/ssltest/index.html"; target="_blank"
+ rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
+ configuring these settings.</p>
<p>The <strong>tomcatAuthentication</strong> attribute is used with the
AJP connectors to determine if Tomcat should authenticate the user or if
Modified: tomcat/trunk/webapps/docs/ssl-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssl-howto.xml?rev=1644321&r1=1644320&r2=1644321&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/ssl-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssl-howto.xml Wed Dec 10 03:11:00 2014
@@ -25,7 +25,7 @@
<properties>
<author email="cc...@apache.org">Christopher Cain</author>
<author email="yo...@apache.org">Yoav Shapira</author>
- <title>SSL Configuration HOW-TO</title>
+ <title>SSL/TLS Configuration HOW-TO</title>
</properties>
<body>
@@ -42,7 +42,7 @@
directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
the directory into which you have installed Tomcat.</em></p>
-<p>To install and configure SSL support on Tomcat, you need to follow
+<p>To install and configure SSL/TLS support on Tomcat, you need to follow
these simple steps. For more information, read the rest of this HOW-TO.</p>
<ol>
<li><p>Create a keystore file to store the server's private key and
@@ -63,15 +63,16 @@ self-signed certificate by executing the
</section>
-<section name="Introduction to SSL">
+<section name="Introduction to SSL/TLS" anchor="Introduction_to_SSL">
-<p>SSL, or Secure Socket Layer, is a technology which allows web browsers and
-web servers to communicate over a secured connection. This means that the data
-being sent is encrypted by one side, transmitted, then decrypted by the other
-side before processing. This is a two-way process, meaning that both the
-server AND the browser encrypt all traffic before sending out data.</p>
+<p>Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer
+(SSL), are technologies which allow web browsers and web servers to communicate
+over a secured connection. This means that the data being sent is encrypted by
+one side, transmitted, then decrypted by the other side before processing.
+This is a two-way process, meaning that both the server AND the browser encrypt
+all traffic before sending out data.</p>
-<p>Another important aspect of the SSL protocol is Authentication. This means
+<p>Another important aspect of the SSL/TLS protocol is Authentication. This
means
that during your initial attempt to communicate with a web server over a secure
connection, that server will present your web browser with a set of
credentials, in the form of a "Certificate", as proof the site is who and what
@@ -83,11 +84,13 @@ users. Most SSL-enabled web servers do
</section>
-<section name="SSL and Tomcat">
+<section name="SSL/TLS and Tomcat" anchor="SSL_and_Tomcat">
<p>It is important to note that configuring Tomcat to take advantage of
secure sockets is usually only necessary when running it as a stand-alone
-web server. When running Tomcat primarily as a Servlet/JSP container behind
+web server. Details can be found in the
+<a href="security-howto.html">Security Considerations Document</a>.
+When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary
to configure the primary web server to handle the SSL connections from users.
Typically, this server will negotiate all SSL-related functionality, then
@@ -212,9 +215,9 @@ keystore using OpenSSL you would execute
<source>openssl pkcs12 -export -in mycert.crt -inkey mykey.key
-out mycert.p12 -name tomcat -CAfile myCA.crt
-caname root -chain</source>
-<p>For more advanced cases, consult the <a
href="http://www.openssl.org/";>OpenSSL
-documentation</a>.
-</p>
+<p>For more advanced cases, consult the
+<a href="http://www.openssl.org/"; rel="nofollow">OpenSSL documentation</a>.</p>
+
<p>To create a new <code>JKS</code> keystore from scratch, containing a single
self-signed Certificate, execute the following from a terminal command
line:</p>
<p>Windows:</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
