Shibboleth IdP Environments Updated: Tomcat 8.5

Created by Baron Fujimoto
Oct 04, 2018
1 min read

The Shibboleth IdP environments (idp.hawaii.edu, idp-test.its.hawaii.edu) have been updated.

  •  Tomcat has been updated from 8.0.50 to 8.5.34

This is a somewhat significant update for the Java Servlet Container that the IdP application runs in. The Tomcat 8.0.x track is scheduled for EOL 2018-06-30.

This version supports TLSv1.1 and TLSv1.2. Notably, TLSv1.0 was previously supported, but is not in this update.

(warning) Some testers who've encountered handshake protocol errors following previous Tomcat upgrades have resolved the problem with the following (or equivalent) in their client configuration:

  • Tomcat
    • -Dhttps.protocols=TLSv1,TLSv1.2,TLSv1.1
      • As long you have at least one of the supported protocols (TLSv1.2,TLSv1.1) it should work
      • TLSv1 above is Tomcat's configuration string for TLSv1.0 (ignored by this update to our Tomcat)
  • PHP:

    • Set CURLOPT_SSLVERSION to 5 or 6 (or do not set CURLOPT_SSLVERSION)

      reported successful configuration change

      // curl_setopt($ch, CURLOPT_SSLVERSION, 4);
      // curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

    • PHP documentation recommends not setting CURLOPT_SSLVERSION

      • Comments suggest, "CURL_SSLVERSION_TLSv1_1 (5) or CURL_SSLVERSION_TLSv1_2 (6) only work for PHP versions using curl 7.34 or newer"
  • (info) Consider deprecating TLSv1.0 in your client configurations if possible

The following ciphers are supported as determined by SSL Labs' SSL server test:

TLS 1.2 (suites in server-preferred order)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS 1.1 (suites in server-preferred order)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA