Bug 1477666 - Tomcat is unaware of sslProtocols setting according to catalina logs
Tomcat is unaware of sslProtocols setting according to catalina logs
Status: CLOSED DUPLICATE of bug 1544995
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.2.10
Unspecified Unspecified
unspecified Severity low (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: Triaged
Depends On: 1478087
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 11:12 EDT by Pablo Hess
Modified: 2018-02-22 03:18 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1478087 (view as bug list)
Environment:
Last Closed: 2018-02-22 03:18:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pablo Hess 2017-08-02 11:12:59 EDT
Description of problem:
Tomcat as used by Candlepin ignores the sslProtocol setting. I want to offer TLSv1.1 and TLSv1.2 only and I modify /etc/tomcat/server.xml accordingly but it does not pick up.
In contrast, modifying the cipher list on the same file applies just as expected.


Version-Release number of selected component (if applicable):
Verified on tomcat-7.0.69-11.el7_3.noarch on Satellite 6.2.10.


How reproducible:
Every time.

Steps to Reproduce:
1. Open /etc/tomcat/server.xml and edit the 8443 connector settings
2. Change sslProtocols from "TLSv1.2,TLSv1.1,TLSv1" to simply "TLSv1.2"
3. Save, restart tomcat service
4. # nmap --script +ssl-enum-ciphers localhost -p 8443

Actual results:

TLSv1.0 and TLSv1.1 and TLSv1.2 are still offered:

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong




Expected results:

Only TLSv1.2 should be offered i.e. something like this output only:

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|_  least strength: strong




Additional info:

/var/log/catalina.log says: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1.2,TLSv1.1,TLSv1' did not find a matching property.

I also tried replacing 'sslProtocols' with 'sslProtocol' (singular) as this is the correct keyword. Still, tomcat did not pick the change and kept offering TLSv1.1 and TLSv1.0.


In contrast, setting the cipher list on the same connector was correctly picked by tomcat.
Comment 2 Alex Wood 2017-11-06 14:48:40 EST
The Tomcat 7 documentation (https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) is somewhat ambiguous here.

There are two supported options, sslEnabledProtocols and sslProtocol.  Both options support the JVM constants for SSL/TLS protocol versions (https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext) and the documentation notes that the options "overlap."  The difference between the two isn't really spelled out although from searching it seems that one option is retained for compatibility reasons.

My recommendation would therefore be to set both values to "TLSv1.1,TLSv1.2" to support TLS 1.1 and 1.2.  TLSv1 should not be enabled unless there is no other choice due to older clients.  No SSL version should ever be enabled due to well known protocol vulnerabilities (e.g. POODLE).  If we wanted to enforce TLSv1.2 only the correct setting would be "TLSv1.2".  Using 1.2 only is an admirable goal, but client considerations may demand otherwise.

This change would need to be implemented in the Satellite installer along with setting the file mode to 660 and the ownership to root.tomcat (the ownership should already be correct).
Comment 3 Alex Wood 2017-11-06 14:52:27 EST
I did see a note in one of our deployment scripts reading "For the time being, TLSv1 needs to stay enabled to support existing python-rhsm based clients."  That comment is pretty old, but probably warrants further investigation.
Comment 4 Alex Wood 2017-11-07 09:22:43 EST
After talking with some members of the M2Crypto team, it appears there is no support for TLS 1.1 in RHEL 5.  In light of that, I would recommend both "sslProtocol" and "sslEnabledProtocols" be set to "TLSv1,TLSv1.1,TLSv1.2".

Note You need to log in before you can comment on or make changes to this bug.