View | Details | Raw Unified | Return to bug 57238
Collapse All | Expand All

(-)a/webapps/docs/index.xml (-4 / +3 lines)
Lines 91-100 Apache Tomcat, and using many of the Apache Tomcat features.</p> Link Here
91
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
91
<li><a href="jasper-howto.html"><strong>JSPs</strong></a>
92
    - Information about Jasper configuration, as well as the JSP compiler
92
    - Information about Jasper configuration, as well as the JSP compiler
93
    usage.</li>
93
    usage.</li>
94
<li><a href="ssl-howto.html"><strong>SSL</strong></a> -
94
<li><a href="ssl-howto.html"><strong>SSL/TLS</strong></a> -
95
    Installing and
95
    Installing and configuring SSL/TLS support so that your Apache Tomcat will
96
    configuring SSL support so that your Apache Tomcat will serve requests using
96
    serve requests using the <code>https</code> protocol.</li>
97
    the <code>https</code> protocol.</li>
98
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
97
<li><a href="ssi-howto.html"><strong>SSI</strong></a> -
99
    Using Server Side Includes in Apache Tomcat.</li>
98
    Using Server Side Includes in Apache Tomcat.</li>
100
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
99
<li><a href="cgi-howto.html"><strong>CGI</strong></a> -
(-)a/webapps/docs/project.xml (-1 / +1 lines)
Lines 47-53 Link Here
47
              href="jndi-datasource-examples-howto.html"/>
47
              href="jndi-datasource-examples-howto.html"/>
48
        <item name="10) Classloading"       href="class-loader-howto.html"/>
48
        <item name="10) Classloading"       href="class-loader-howto.html"/>
49
        <item name="11) JSPs"               href="jasper-howto.html"/>
49
        <item name="11) JSPs"               href="jasper-howto.html"/>
50
        <item name="12) SSL"                href="ssl-howto.html"/>
50
        <item name="12) SSL/TLS"            href="ssl-howto.html"/>
51
        <item name="13) SSI"                href="ssi-howto.html"/>
51
        <item name="13) SSI"                href="ssi-howto.html"/>
52
        <item name="14) CGI"                href="cgi-howto.html"/>
52
        <item name="14) CGI"                href="cgi-howto.html"/>
53
        <item name="15) Proxy Support"      href="proxy-howto.html"/>
53
        <item name="15) Proxy Support"      href="proxy-howto.html"/>
(-)a/webapps/docs/security-howto.xml (-1 / +17 lines)
Lines 265-275 Link Here
265
      proxy uses AJP then the SSL attributes of the client connection are
265
      proxy uses AJP then the SSL attributes of the client connection are
266
      passed via the AJP protocol and separate connectors are not needed.</p>
266
      passed via the AJP protocol and separate connectors are not needed.</p>
267
267
268
      <p>The <strong>sslEnabledProtocols</strong> attribute determines which
269
      versions of the SSL/TLS protocol are used.  Since the POODLE attack in
270
      2014, all SSL protocols are considered unsafe and a secure setting for
271
      this attribute in a standalone Tomcat setup might be
272
      <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
273
268
      <p>The <strong>ciphers</strong> attribute controls the ciphers used for
274
      <p>The <strong>ciphers</strong> attribute controls the ciphers used for
269
      SSL connections. By default, the default ciphers for the JVM will be used.
275
      SSL connections. By default, the default ciphers for the JVM will be used.
270
      This usually means that the weak export grade ciphers will be included in
276
      This usually means that the weak export grade ciphers will be included in
271
      the list of available ciphers. Secure environments will normally want to
277
      the list of available ciphers. Secure environments will normally want to
272
      configure a more limited set of ciphers.</p>
278
      configure a more limited set of ciphers.  This attribute accepts the
279
      <a href="https://www.openssl.org/docs/apps/ciphers.html" target="_blank"
280
         rel="nofollow">
281
      OpenSSL syntax</a> for including/excluding cipher suites.
282
      As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy
283
      can be achieved by specifying only TLS protocols using
284
      the sslEnabledProtocols attribute (above) and excluding non-DH ciphers,
285
      and weak/broken ciphers.  The
286
      <a href="https://www.ssllabs.com/ssltest/index.html" target="_blank"
287
         rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
288
      configuring these settings.</p>
273
289
274
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
290
      <p>The <strong>tomcatAuthentication</strong> attribute is used with the
275
      AJP connectors to determine if Tomcat should authenticate the user or if
291
      AJP connectors to determine if Tomcat should authenticate the user or if
(-)a/webapps/docs/ssl-howto.xml (-14 / +17 lines)
Lines 25-31 Link Here
25
    <properties>
25
    <properties>
26
        <author email="ccain@apache.org">Christopher Cain</author>
26
        <author email="ccain@apache.org">Christopher Cain</author>
27
        <author email="yoavs@apache.org">Yoav Shapira</author>
27
        <author email="yoavs@apache.org">Yoav Shapira</author>
28
        <title>SSL Configuration HOW-TO</title>
28
        <title>SSL/TLS Configuration HOW-TO</title>
29
    </properties>
29
    </properties>
30
30
31
<body>
31
<body>
Lines 42-48 Link Here
42
    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
42
    directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
43
    the directory into which you have installed Tomcat.</em></p>
43
    the directory into which you have installed Tomcat.</em></p>
44
44
45
<p>To install and configure SSL support on Tomcat, you need to follow
45
<p>To install and configure SSL/TLS support on Tomcat, you need to follow
46
these simple steps.  For more information, read the rest of this HOW-TO.</p>
46
these simple steps.  For more information, read the rest of this HOW-TO.</p>
47
<ol>
47
<ol>
48
<li><p>Create a keystore file to store the server&apos;s private key and
48
<li><p>Create a keystore file to store the server&apos;s private key and
Lines 63-77 self-signed certificate by executing the following command:</p> Link Here
63
</section>
63
</section>
64
64
65
65
66
<section name="Introduction to SSL">
66
<section name="Introduction to SSL/TLS" anchor="Introduction_to_SSL">
67
67
68
<p>SSL, or Secure Socket Layer, is a technology which allows web browsers and
68
<p>Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer
69
web servers to communicate over a secured connection.  This means that the data
69
(SSL), are technologies which allow web browsers and web servers to communicate
70
being sent is encrypted by one side, transmitted, then decrypted by the other
70
over a secured connection.  This means that the data being sent is encrypted by
71
side before processing.  This is a two-way process, meaning that both the
71
one side, transmitted, then decrypted by the other side before processing.
72
server AND the browser encrypt all traffic before sending out data.</p>
72
This is a two-way process, meaning that both the server AND the browser encrypt
73
all traffic before sending out data.</p>
73
74
74
<p>Another important aspect of the SSL protocol is Authentication.  This means
75
<p>Another important aspect of the SSL/TLS protocol is Authentication.  This means
75
that during your initial attempt to communicate with a web server over a secure
76
that during your initial attempt to communicate with a web server over a secure
76
connection, that server will present your web browser with a set of
77
connection, that server will present your web browser with a set of
77
credentials, in the form of a "Certificate", as proof the site is who and what
78
credentials, in the form of a "Certificate", as proof the site is who and what
Lines 83-93 users. Most SSL-enabled web servers do not request Client Authentication.</p> Link Here
83
84
84
</section>
85
</section>
85
86
86
<section name="SSL and Tomcat">
87
<section name="SSL/TLS and Tomcat" anchor="SSL_and_Tomcat">
87
88
88
<p>It is important to note that configuring Tomcat to take advantage of
89
<p>It is important to note that configuring Tomcat to take advantage of
89
secure sockets is usually only necessary when running it as a stand-alone
90
secure sockets is usually only necessary when running it as a stand-alone
90
web server.  When running Tomcat primarily as a Servlet/JSP container behind
91
web server.  Details can be found in the
92
<a href="security-howto.html">Security Considerations Document</a>.
93
When running Tomcat primarily as a Servlet/JSP container behind
91
another web server, such as Apache or Microsoft IIS, it is usually necessary
94
another web server, such as Apache or Microsoft IIS, it is usually necessary
92
to configure the primary web server to handle the SSL connections from users.
95
to configure the primary web server to handle the SSL connections from users.
93
Typically, this server will negotiate all SSL-related functionality, then
96
Typically, this server will negotiate all SSL-related functionality, then
Lines 212-220 keystore using OpenSSL you would execute a command like:</p> Link Here
212
<source>openssl pkcs12 -export -in mycert.crt -inkey mykey.key
215
<source>openssl pkcs12 -export -in mycert.crt -inkey mykey.key
213
                       -out mycert.p12 -name tomcat -CAfile myCA.crt
216
                       -out mycert.p12 -name tomcat -CAfile myCA.crt
214
                       -caname root -chain</source>
217
                       -caname root -chain</source>
215
<p>For more advanced cases, consult the <a href="http://www.openssl.org/">OpenSSL
218
<p>For more advanced cases, consult the
216
documentation</a>.
219
<a href="http://www.openssl.org/" rel="nofollow">OpenSSL documentation</a>.</p>
217
</p>
220
218
<p>To create a new <code>JKS</code> keystore from scratch, containing a single
221
<p>To create a new <code>JKS</code> keystore from scratch, containing a single
219
self-signed Certificate, execute the following from a terminal command line:</p>
222
self-signed Certificate, execute the following from a terminal command line:</p>
220
<p>Windows:</p>
223
<p>Windows:</p>

Return to bug 57238