How to configure/enable http3 in tomcat? Any documented steps would help. I checked tomcat official documentation but nothing could be found. Here is my current connector tag from server.xml -
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" keystoreFile="mykeystorejks"
keystorePass="****" server="Unknown"
sslEnabledProtocols="TLSv1.2"
ciphers="!aNULL,!eNULL,!EXPORT,!DES,!MD5,!PSK,!RC4,!3DES,!CBC3,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
/>
Apache Tomcat does not support HTTP/3.
If you really need HTTP/3 support then you would need to place Tomcat behind a reverse proxy that does support HTTP/3 and then proxy the requests to Tomcat over one of the supported protocols (AJP, HTTP/1.1, HTTP/2).
Related
I was following this tutorial to enable ssl in tomcat: https://medium.com/#raupach/how-to-install-lets-encrypt-with-tomcat-3db8a469e3d2
Altough tomcat is running at the end, i can not access https, says unable to connect. So i checked the logs and i got:
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
, but my certificateFile is defined as you can see:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100"
compression="on"
scheme="https"
SSLEnabled="true"
secure="true"
SSLVerifyClient="none"
SSLProtocol="TLSv1.2"
defaultSSLHostConfigName="test.test">
<SSLHostConfig hostName="test.test">
<Certificate certificateFile="conf/cert.pem" certificateKeyFile="conf/privkey.pem" certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
these files are present in conf/
tomcat 9 docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html section SSLHostConfig and Certificate
You use a mix of new (since Tomcat 8.5) and deprecated attributes (cf. Tomcat documentation). The effect of setting, e.g. SSLProtocol is the creation of a second <SSLHostConfig> with hostname _default_. That is the element that the error message is referring to.
You should replace the obsolete tags (SSLVerifyClient and SSLProtocol) with their current counterparts (or omit them if you want the default value):
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="100"
compression="on"
scheme="https"
SSLEnabled="true"
secure="true"
defaultSSLHostConfigName="test.test">
<SSLHostConfig hostName="test.test"
protocols="TLSv1.2">
<Certificate certificateFile="conf/cert.pem"
certificateKeyFile="conf/privkey.pem"
certificateChainFile="conf/chain.pem" />
</SSLHostConfig>
</Connector>
Remark: The attributes you used where specific to the APR connector. If that choice was intentional, you should change the protocol to org.apache.coyote.http11.Http11AprProtocol.
I have a tomcat webapp where the client is using TLS1.2 but a technical scan found the server is still using TLS1.0. I want to enable TLS1.2. We are using Java 7 and the connector snippet for the server.xml is as below,
<Connector SSLEnabled="true" acceptCount="100" clientAuth="true" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2024" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/cert/fic_rest.jks" keystorePass="********"
truststoreFile="/cert/fic_rest.jks" server="UnIdentified" compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
/>
<!-- Define an AJP 1.3 Connector on port 2023 -->
<Connector port="2023" protocol="AJP/1.3" redirectPort="2022" />
<Connector acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2020" protocol="org.apache.coyote.http11.Http11NioProtocol" server="UnIdentified"
/>
Would changing "sslProtocol="TLS" to "sslProtocol="TLSv1.2" is all that is enough?
We are using tomcat 7.0.82
The sslProtocol configuration protocol does next to nothing: it only specifies which SSLContext to use, but from the perspective of a server this does not restrict anything. Any version of SSLContext sets the default SSL server protocols to the entire list of supported protocols (cf. source code).
Therefore you need to set sslEnabledProtocols="TLSv1.2" (cf. Tomcat documentation) to restrict the accepted protocol versions to only TLS 1.2. You can then test your configuration using curl.
However, if usage of TLS versions less then 1.2 is a security constraint for the whole system (cf. this question) by adding the following line to $JRE_HOME/lib/security/java.security:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1
Warning: this will influence all TLS connections in Java, even those with old databases.
I've deployed a number of SSL configurations, including both Tomcat (cacerts + keytool) and IIS (Windows Certificate Store + netsh http sslcert) so I'm familiar with these procedures.
Has anyone come up with a way to point Tomcat's SSL connector to a Windows Store (i.e. configuration, extension, plugin, etc.)? Just looking to centralize management of SSL deployments to one store, vs. having multiple stores.
According to the answer on "SSL enabling in Tomcat Windows server" you can specify keystore type as "Windows-My" in configuration of connector in server.xml, it worked for me on Tomcat 8.0.22 as well
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keyAlias="<alias of the cert>"
keystoreFile=""
keystorePass=""
keystoreType="Windows-My"
clientAuth="false"
sslProtocol="TLS"
keepAliveTimeout="200000" />
keystoreFile and keystorePass has to be set to empty string. see my comment at bz.apache.org "BUG 56021"
If not set they will default to values that causes trouble.
keyAlias should be either the friendly name (if it has one) or the common name of the certificate.
It seems not possible. From tomcat 8 documentation https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores.
Windows Store would require an specific connector similar to the 'WINDOWS-MY' of JSSE.
There is no reference in documentation to any plugin or connector to Windows Certificate Store.
While Dmitry's solution works on Tomcat 8.0, from Tomcat 8.5 onward there is a small caveat: you need to explicitly set JSSE as SSLImplementation. Hence the configuration becomes (considering also the new structure introduced in Tomcat 8.5):
<Connector port="8443"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
scheme="https" secure="true" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreType="Windows-MY"
certificateKeystoreFile=""
certificateKeyAlias="tomcat" />
</SSLHostConfig>
</Connector>
Alternatively, one can also set useOpenSSL="false" on the AprLifecycleListener.
I am trying to get self signed certificate for my website. I created a certificate using "Keytool" and then made following changes in conf/server.xml
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1"
redirectPort="8443" />
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="c:\tomcat\keystore\.keystore" keystorePass="changeit"
maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https"
secure="true" sslProtocol="TLS" />
When i run the tomcat server externally and type the URL https://"localhost":8443 (No quotes around localhost) it works but when i run the tomcat server in Eclipse i get 404 error.
Can anyone please help me with this. Thanks in advance.
I referred to the below sites for help.
http://technology-for-human.blogspot.com/2011/08/ssl-in-tomcat-under-eclipse-part-1-self.html
Eclipse WTP: How do I enable SSL on Tomcat?
According to https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
the sslProtocol property should be one of the followings: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, all.
Try putting "TLSv1+TLSv1.1+TLSv1.2".
Be sure there's no exceptions regarding the keystore's path or password.
And last but not least, remove the redirectPort property from others Connectors.
I have an application that runs on secure channel, I want to configure a secure port. I am adding following connector into my tomcat server.xml file
<Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" secure="true"
clientAuth="false" />
It connects to server when I hit
https://localhost.com:8443
in browser, but I never get response back, it connects to server forever.
I would really appreciate any help on this.
Thanks.
It is because you configuration is not complete. Take a look at this tutorial:
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
It has to look more like this:
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Without SSLEnabled="true" there will be no encryption.
I found the issue was due to a webservice was down that my application is depend upon, that is why request were stuck forever.
However the above configuration for configuring fake secure port worked for me.