We want to use an Apache2 (v2.4.51) as a (reverse) proxy to access a downstream server (running Tomcat). That Tomcat is configured to accept only TLS v1.2 and a very limited set of ciphers (and that’s not negotiable).
In the logs I found that our Apache tries to open the connection to that Tomcat using TLS v1.3 which causes the downstream server to immediately terminate the connection and no further communication happens.
How can I configure an Apache server to use a specific TLS version and cipher on an outgoing/ downstream connection? Everything I found re. Apache TLS configuration so far was dealing with the front-side, i.e. what Apache receives and accepts. But in my case I need to adjust the back-end-side, i.e. what Apache uses when it forwards a request.
How/where can one configure that?
Edit: Meanwhile I realized that the terms "upstream" & "downstream" are not always used consistently – so just in case: with "downstream" here I mean the connection (2) as sketched below:
{browsers/internet} –(1)–> [Apache reverse proxy] –(2)–> [Tomcat application server].
Edit 2: In Tomcat’s log (catalina.out) I keep getting the below exception which seems to suggest that it is addressed using TLS v1.3 (which it can’t handle):
Oct 06, 2022 5:22:06 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions
SEVERE:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
at java.lang.Thread.run(Thread.java:750)
javax.net.ssl|FINE|B5|http-nio-8443-Acceptor-0|2022-10-06 17:22:07.539 CEST|HandshakeContext.java:304|No available cipher suite for TLS13
javax.net.ssl|SEVERE|B5|http-nio-8443-Acceptor-0|2022-10-06 17:22:07.540 CEST|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
at java.lang.Thread.run(Thread.java:750)}
Edit 3: my /etc/apache2/conf.d/proxy.conf
file now reads:
Listen 443
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile -name-removed-
SSLProxyEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLProxyMachineCertificateFile -name-removed-
ProxyPass /foobar https://-name-removed-:8443/foobar
ProxyPassReverse /foobar https://-name-removed-:8443/foobar
SSLProxyProtocol +TLSv1.2
<Proxy "*">
Require all granted
SSLProxyProtocol +TLSv1.2
</Proxy>
LogLevel debug
ErrorLog "-name-removed-"
</VirtualHost>
Note: "foobar" and "-name-removed-" represent values that I replaced for privacy.
Edit 4:
The nmap response was:
# nmap -sV --script ssl-enum-ciphers -p 8443 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-10 16:12 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
PORT STATE SERVICE VERSION
8443/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
#
What does that tell me?
2
Answers
The issue has been resolved! I had a typo in the config file! Shame on me and sorry for the bandwidth consumed.
I would suggest running a utility like nmap to assess the SSL capabilities of the backend server (Tomcat) in this instance. nmap nicely prints out the TLS protocols and ciphers that a given TLS server supports. Using this information, we could configure Apache HTTPD to use the same protocols and ciphers for the backend connection using SSLProxyProtocol and SSLProxyCipherSuite directives.
How to use nmap:
nmap -sV –script ssl-enum-ciphers -p