Why You Can Still Connect to Apache Tomcat over TLS 1 Despite Disabling It

Описание: Learn why disabling TLS 1 in your Apache Tomcat configuration may not prevent connections through OpenSSL s_client and discover the underlying reasons.
---
This video is based on the question https://stackoverflow.com/q/63909891/ asked by the user 'MkDwonderer' ( https://stackoverflow.com/u/6272008/ ) and on the answer https://stackoverflow.com/a/63910957/ provided by the user 'Matt Caswell' ( https://stackoverflow.com/u/1946679/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: disabled tls1 in apache-tomcat but can still connect with openssl s_client, why?

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Understanding TLS Connections in Apache Tomcat

In the world of web applications, security is paramount. As we try to reinforce security standards, disabling older protocols like TLS 1.0 is a common step. However, some users find unexpected behavior even after making these changes. If you've recently disabled TLS 1.0 in your Apache Tomcat configuration but are still able to connect using openssl s_client, you may be wondering: why is this happening? Let’s delve into the issue and explore the solution together.

The Configuration Setup

You might have configured your Tomcat server to limit the SSL/TLS versions like this:

[[See Video to Reveal this Text or Code Snippet]]

In this configuration, you've specified that only TLS versions 1.2 and 1.3 should be used for secure connections. The expectation is that all attempts to connect using TLS 1.0 would be denied. Yet, the results can be surprising. Let’s break this down further.

Testing with OpenSSL

Using the OpenSSL command line tool, you might have tried the following command to force a connection using TLS 1.0:

[[See Video to Reveal this Text or Code Snippet]]

Surprisingly, the output indicates a connection was made, even though it later shows an error message stating:

[[See Video to Reveal this Text or Code Snippet]]

What Does This Error Message Mean?

The connection may appear successful initially, but the error message indicates a failure in the SSL handshake, specifically due to a version mismatch. Here’s what’s happening:

Initial Connection: The openssl s_client command initiates a connection, and Tomcat may accept it briefly.

Handshake Failure: The subsequent error "wrong version number" indicates that the server does not support the requested TLS version, leading to a failed handshake.

Why Is This Happening?

The key points to understand here are:

Behavior During Handshake: The server may allow the establishment of a connection at the socket level initially, but it will fail when trying to establish SSL/TLS parameters.

Protocol Handling: Disabling TLS 1 in Apache Tomcat correctly prevents the use of that protocol, but the tool you are using (OpenSSL) may not be fully aware of that restriction until the handshake process begins.

Misleading Connection Results: Although it seems like the connection is successful, the actual security negotiation fails, causing the server to respond with a standard error message.

Conclusion: Key Takeaways

Disabling TLS 1 in your Apache Tomcat server works as expected; however, the OpenSSL tool may show a misleading output indicating a connection success due to how the underlying network layers function.

When testing configurations in secure communication settings, remember to interpret results carefully and understand that actual security adherence (like not supporting TLS 1.0) occurs at the handshake level.

By recognizing these nuances, you'll deepen your understanding of how secure connections operate and ensure your server configurations reinforce the best possible security practices.

If you have any more questions or need further clarification on this topic, feel free to reach out for more assistance!