0

I've inherited a small secure web application that runs on a single Tomcat 6 web server on a machine running Amazon Linux. I need to disable the SSLv3 fallback, but I just can't find where the HTTPS configuration is located (e.g. path to the pem file etc.)

The config files at /usr/share/tomcat6/conf/server.xml and /etc/tomcat6/server.xml (which are both identical) have the following (what looks like default) setup:

<Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1" 
           connectionTimeout="20000" 
           redirectPort="8443" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
         resourceName="UserDatabase"/>

    <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true"
        xmlValidation="false" xmlNamespaceAware="false">

        <Context path="" docBase="/var/www/" debug="1" reloadable="true" override="true" allowLinking="true" />
        <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" />
        </Host>
    </Engine>
</Service>

My understanding is that there should be additional configuration here with details of the SSL cert etc. Is there somewhere else this stuff can be configured? If not, why does the server handle HTTPS requests successfully?

RTF
  • 208
  • 2
  • 10
  • 3
    The presence of the AJP connector is an indication that a web server such as apache may be the front-end where SSL is being terminated. – HBruijn Nov 26 '14 at 14:00
  • I had a look, but apache is not installed on the box. If what you are saying was true, then apache would almost certainly be the type of server that would be used (given what I know about the developer that I inherited this stuff from). – RTF Nov 26 '14 at 14:14
  • The only connectors configured are for ports 8080 and 8009. So if your server is accessible by https (port 443) there must be another process handling the SSL/TLS in front of Tomcat. If not Apache, maybe Nginx. – David Levesque Nov 26 '14 at 15:29
  • 1
    You may be able to find the process listening on port 443 with this command: `sudo netstat -tulpn | grep :443` – David Levesque Nov 26 '14 at 15:37
  • Sorry, it looks like apache is installed - `httpd` is listening on 443 owned by user `apache` (not www-data). But there's no /etc/apache* directory, the only thing I can find is `/usr/sbin/apachectl`. Do you know where I can find the installation or where the configuration should be? – RTF Nov 26 '14 at 15:56
  • 1
    Please update your question with your OS version, then poke around in /etc/httpd/ – JasonAzze Nov 26 '14 at 16:05
  • `/etc/httpd` is what I was looking for, the ssl config I need is at `/etc/httpd/conf.d/ssl.conf`. @HBruijn was right, apache is fronting the requests. Thanks guys! – RTF Nov 26 '14 at 16:12
  • If any one of you want to throw that stuff into an answer, I'll accept it for you. Otherwise, I'll create an answer myself. – RTF Nov 26 '14 at 16:13

1 Answers1

3

In your case the presence of the AJP connector in your server.xml is good indication that a webserver such as Apache with mod_ajp or mod_proxy_ajp is used as a front e.g. to off-load the serving of static content and to terminate SSL.

Disabling SSLv3 then depends on the actual web server being used, in Apache some suggestions can be found on https://unix.stackexchange.com/questions/162478/how-to-disable-sslv3-in-apache

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192