How to configure SSL protocols

This topic describes how to disable specific SSL protocols, such as TLS1 and/or TLS1.1, on Tomcat 10.

1.71 update

From version 1.71, users can click Admin → SSL and check any of the boxes related to Restrict TLS. Checking a protocol's box enables that protocol.

We recommend that you enable TLSv1.2 and above, as earlier protocols have known weaknesses. If you do not check any boxes, any protocol can be used.

You can manually add a TLS selection in /etc/tomcat/server.xml if you wish. After a server restart, that TLS selection will be visible in the SSL UI menu.

:::info{title='Note'} Any manually added TLS protocols must be supported by Java and must be spelled correctly in /etc/tomcat/server.xml. :::

Getting started

Configuration of supported SSL protocols can be managed via updates to a specific configuration file on the Matillion ETL instance. The configuration updates are based on Tomcat's SSL configuration settings documented here.

:::info{title='Note'}

The file that needs to be edited is /etc/tomcat/server.xml.
The properties mentioned are case-sensitive. Default server.xml files have this property defined, which isn't the same as below because of case sensitivity: sslProtcol="TLS".
Tomcat needs to be restarted after making changes to the server.xml file. :::

For these instructions, a default Matillion ETL configuration is assumed. An example of a default Matillion ETL configuration looks like the block below:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" name="UserDatabase" pathname="conf/tomcat-users.xml" readonly="false" type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="false" maxPostSize="10485760" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" secure="true" sslProtocol="TLS">
<SSLHostConfig>
<Certificate certificateFile="${catalina.base}/conf/localhost.crt" certificateKeyFile="${catalina.base}/conf/localhost.key"/>
</SSLHostConfig>
</Connector>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm">
<CredentialHandler algorithm="SHA-512" className="org.apache.catalina.realm.MessageDigestCredentialHandler"/>
</Realm>
</Realm>
<Host appBase="webapps" autoDeploy="false" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log" suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>

To allow only the TLSv1.2 protocol, update the configuration file at: /etc/tomcat/server.xml:
Replace <SSLHostConfig> with <SSLHostConfig protocols="TLSv1.2">.
Save the change and then restart Tomcat.

To restart from an SSH session:

Run sudo service tomcat stop.
Then run sudo service tomcat start.

To restart from the Matillion ETL UI:

Click Admin → Restart Server
Click Yes.

Confirm disabled protocols

To confirm that TLS 1 has been disabled, run the following command:

openssl s_client -connect localhost:8443 -tls1

To confirm that TLS 1.1 has been disabled, run the following command:

openssl s_client -connect localhost:8443 -tls1_1

Both commands should return outputs of this kind:

[centos@ip-172-31-32-213 ~]$ openssl s_client -connect localhost:8443 -tls1_1
CONNECTED(00000003)
140677227890576:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70
140677227890576:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1610388404
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Validate that TLS 1.2 is still enabled

To validate that TLS 1.2 remains enabled, run the following command:

openssl s_client -connect localhost:8443 -tls1_2

The output of this command should return an SSL certificate, and look like this:

CONNECTED(00000003)
depth=0 C = GB
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB
verify error:num=10:certificate has expired
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
depth=0 C = GB
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
---
Certificate chain
 0 s:/C=GB
   i:/C=GB
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAdWgAwIBAgIJAMsPhhsmv/jdMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAkdCMB4XDTIwMDUwOTE0MjcxOVoXDTIwMDYwODE0MjcxOVowDTELMAkGA1UE
BhMCR0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkDA80QKNRRGW
yc7KJuOuq96j7LtJFcHFPDqU0F4gUAoHaim39YtqCQSWXwd4eCBFVv9v3UWX+cS0
dFOe8AT0eeAzeAxfzE1LC3yT2H+3ALq55/CLSQxIPrQ9U+uPY9+p/duJ7IF6bJJM
DXGZ1ua0u4UbNc1EB9pkN6jO/iCAvB2CLQC6Gyi6+8yCFzZ14HJmHtaEbYpey0BA
3cm2y4FQCU3AqfVJk0k4E21Go1y8Dj59gr/dsk2A3KQXB3SdKgVZyc6r4GctQavV
Do4SfXAAHvkHFXVBOQtNvukb+SNf+0XoRytVkzDoTZ6+lkmvVvryVQOrRT3gu5R/
X7dh4iJ/AgMBAAGjUDBOMB0GA1UdDgQWBBRyiAZrwV50C6AxabY6e55QIS1i6jAf
BgNVHSMEGDAWgBRyiAZrwV50C6AxabY6e55QIS1i6jAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQCdrlJbeDgmjpKaexXGU6tn2xQjtyz4xQGmHkcwjLzp
cW3Ixo+DwKKQaHDRhqyrKXGEU7Vbe1rXfX6ouF5z5vutLri4N0WHhZ12O8WI3SqX
kfQhIs+F8vY0a6Ua+aiiymXa05NA9P8xu5rO1R48xDvJ+lTGODYUGBQxLcr7eZ2M
UVFtPabu8b4h9UjcnxffU7MMS5Xu1Ag16aWw3CtEi/JOtkRvJr1RQ+wrn2uWJ/tv
VaNmNZ3J+HktX+IrRsTYcQiHu/JJ0A3m3TL1HB7jZVQ4BO54iXHhvZdAuXqCfhuL
f9YOWQ5g+H6ECOdwCvu+q1aGEV+yRzch1YA2Vah/2yJQ
-----END CERTIFICATE-----
subject=/C=GB
issuer=/C=GB
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1428 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 8F50EEEAF9F8C0F4FF8F09FF20A3850FDAC04B9EE6FD3C18896E666022E200FE
    Session-ID-ctx: 
    Master-Key: 59B6EB386A6A5CB4BA533DE73BEE8A1AE21056F50C67392ACD83EEFCD920B39F295B4D40E00148B5271AB31DA46BECD9
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 96 2b 0d ce 60 78 29 a0-1e fd f0 d0 38 2a ef f4   .+..`x).....8*..
    0010 - 62 ea ec 77 98 bf 2e 87-f8 aa bc ce 74 1f 12 47   b..w........t..G
    0020 - ab b4 47 c4 3f 44 f5 07-76 2d 15 b9 14 a0 9f 52   ..G.?D..v-.....R
    0030 - 39 b8 f0 d3 64 3a 66 d4-01 68 df b4 de b2 97 97   9...d:f..h......
    0040 - a7 a5 f5 59 1f df 0b a4-2b ad 90 d7 15 67 c9 ba   ...Y....+....g..
    0050 - ae 52 89 a9 24 dc a6 01-3c 44 dd 12 a5 02 79 1d   .R..$...<D....y.
    0060 - d1 a9 12 88 f9 61 e4 bc-22 4c 6f 2d 1a 86 ce b8   .....a.."Lo-....
    0070 - bb 34 56 65 34 3b e8 5e-7d 49 60 05 a6 45 92 30   .4Ve4;.^}I`..E.0
    0080 - dc ca a1 0e 0c 94 a5 3d-bb 1a 83 cf ac 3f 89 83   .......=.....?..
    0090 - 49 80 b8 3b 4e 77 f4 a4-7e 13 82 f4 e0 d9 9f c9   I..;Nw..~.......
    00a0 - 3b 64 b1 a4 ec dc de e5-aa 7b 70 df 75 03 c4 4d   ;d.......{p.u..M
    Start Time: 1610388589
    Verify return code: 10 (certificate has expired)
---

For more information, read the Apache Tomcat 10 documentation.

Versions older than 1.69 of Matillion ETL

If you're using a version before 1.69—likely running Tomcat 8 rather than Tomcat 10—see the below instructions.

Tomcat uses two different implementations of SSL:

The JSSE implementation that's provided as part of the Java runtime (since 1.4).
The APR implementation, which uses the OpenSSL engine by default.

Configuration details depend on the implementation being used.

:::info{title='Note'}

The file that needs to be edited is /etc/tomcat/server.xml.
The properties mentioned are case-sensitive. Default server.xml files have this property defined, which isn't the same as below because of case sensitivity: sslProtcol="TLS".
Tomcat needs to be restarted after making changes to the sever.xml file. :::

For these instructions, the APR implementation is required. Make sure the SSLEngine attribute is set to a value other than off. The default value is on. If you wish to specify another value, that value must be a valid engine name.

An example of APR configuration looks like the block below.

<Connector SSLCertificateFile="${catalina.base}/conf/localhost.crt" SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" SSLEnabled="true" clientAuth="false" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" SSLProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" />

Contact support

If you require additional assistance disabling or enabling SSL protocols, read Getting Support.