View | Details | Raw Unified | Return to bug 57238
Collapse All | Expand All

(-)a/webapps/docs/security-howto.xml (-1 / +21 lines)
Lines 269-275 Link Here
269
      SSL connections. By default, the default ciphers for the JVM will be used.
269
      SSL connections. By default, the default ciphers for the JVM will be used.
270
      This usually means that the weak export grade ciphers will be included in
270
      This usually means that the weak export grade ciphers will be included in
271
      the list of available ciphers. Secure environments will normally want to
271
      the list of available ciphers. Secure environments will normally want to
272
      configure a more limited set of ciphers.</p>
272
      configure a more limited set of ciphers.  This attribute accepts the
273
      <a href="https://www.openssl.org/docs/apps/ciphers.html" target="_blank">
274
      OpenSSL syntax</a> for including/excluding cipher suites.
275
      As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy
276
      can be achieved on the
277
      <a href="https://www.ssllabs.com/ssltest/index.html" target="_blank">
278
      Qualys SSL/TLS test</a> by specifying only TLS protocols using
279
      the sslEnabledProtocols attribute (further below) with the following
280
      ciphers:
281
      <code>ciphers="ALL:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!3DES:<br />
282
      !TLS_RSA_WITH_AES_128_CBC_SHA256:!TLS_RSA_WITH_AES_128_CBC_SHA:<br />
283
      !TLS_RSA_WITH_AES_128_GCM_SHA256:@STRENGTH"</code>  Tomcat does
284
      not "specify" a sort order, but it does seem to present the ciphers in
285
      order because some clients (nmap) choose different protocols when
286
      @STRENGTH is used.</p>
287
288
      <p>The <strong>sslEnabledProtocols</strong> attribute determines which
289
      versions of the SSL/TLS protocol are used.  Since the POODLE attack in
290
      2014, all SSL protocols are considered unsafe and a secure setting for
291
      this attribute in a standalone Tomcat setup might be
292
      <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
273
293
274
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
294
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
275
      AJP connectors to determine if Tomcat should authenticate the user or if
295
      AJP connectors to determine if Tomcat should authenticate the user or if
(-)a/webapps/docs/ssl-howto.xml (-11 / +15 lines)
Lines 25-31 Link Here
25
    <properties>
25
    <properties>
26
        <author email="ccain@apache.org">Christopher Cain</author>
26
        <author email="ccain@apache.org">Christopher Cain</author>
27
        <author email="yoavs@apache.org">Yoav Shapira</author>
27
        <author email="yoavs@apache.org">Yoav Shapira</author>
28
        <title>SSL Configuration HOW-TO</title>
28
        <author email="glen@organicdesign.org">Glen Peterson</author>
29
        <title>SSL/TLS Configuration HOW-TO</title>
29
    </properties>
30
    </properties>
30
31
31
<body>
32
<body>
Lines 42-48 Link Here
42
    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
43
    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
43
    the directory into which you have installed Tomcat.</em></p>
44
    the directory into which you have installed Tomcat.</em></p>
44
45
45
<p>To install and configure SSL support on Tomcat, you need to follow
46
<p>To install and configure SSL/TLS support on Tomcat, you need to follow
46
these simple steps.  For more information, read the rest of this HOW-TO.</p>
47
these simple steps.  For more information, read the rest of this HOW-TO.</p>
47
<ol>
48
<ol>
48
<li><p>Create a keystore file to store the server&apos;s private key and
49
<li><p>Create a keystore file to store the server&apos;s private key and
Lines 63-77 self-signed certificate by executing the following command:</p> Link Here
63
</section>
64
</section>
64
65
65
66
66
<section name="Introduction to SSL">
67
<section name="Introduction to SSL/TLS">
67
68
68
<p>SSL, or Secure Socket Layer, is a technology which allows web browsers and
69
<p>Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer
69
web servers to communicate over a secured connection.  This means that the data
70
(SSL), are technologies which allow web browsers and web servers to communicate
70
being sent is encrypted by one side, transmitted, then decrypted by the other
71
over a secured connection.  This means that the data being sent is encrypted by
71
side before processing.  This is a two-way process, meaning that both the
72
one side, transmitted, then decrypted by the other side before processing.
72
server AND the browser encrypt all traffic before sending out data.</p>
73
This is a two-way process, meaning that both the server AND the browser encrypt
74
all traffic before sending out data.</p>
73
75
74
<p>Another important aspect of the SSL protocol is Authentication.  This means
76
<p>Another important aspect of the TLS protocol is Authentication.  This means
75
that during your initial attempt to communicate with a web server over a secure
77
that during your initial attempt to communicate with a web server over a secure
76
connection, that server will present your web browser with a set of
78
connection, that server will present your web browser with a set of
77
credentials, in the form of a "Certificate", as proof the site is who and what
79
credentials, in the form of a "Certificate", as proof the site is who and what
Lines 83-93 users. Most SSL-enabled web servers do not request Client Authentication.</p> Link Here
83
85
84
</section>
86
</section>
85
87
86
<section name="SSL and Tomcat">
88
<section name="SSL/TLS and Tomcat">
87
89
88
<p>It is important to note that configuring Tomcat to take advantage of
90
<p>It is important to note that configuring Tomcat to take advantage of
89
secure sockets is usually only necessary when running it as a stand-alone
91
secure sockets is usually only necessary when running it as a stand-alone
90
web server.  When running Tomcat primarily as a Servlet/JSP container behind
92
web server.  Details can be found in the
93
<a href="security-howto.html">Security Considerations Document</a>.
94
When running Tomcat primarily as a Servlet/JSP container behind
91
another web server, such as Apache or Microsoft IIS, it is usually necessary
95
another web server, such as Apache or Microsoft IIS, it is usually necessary
92
to configure the primary web server to handle the SSL connections from users.
96
to configure the primary web server to handle the SSL connections from users.
93
Typically, this server will negotiate all SSL-related functionality, then
97
Typically, this server will negotiate all SSL-related functionality, then

Return to bug 57238