From 9cae529e0fefc48360315b929d9d70192aaed304 Mon Sep 17 00:00:00 2001
From: Terry Fleury <tfleury@illinois.edu>
Date: Mon, 1 Feb 2021 13:51:27 -0600
Subject: [PATCH 1/3] Configure Tomcat to require TLS v1.2 as proposed in the
 InCommon Baseline Expectations 2.0
 (https://spaces.at.internet2.edu/x/4YbVCQ).

---
 container_files/tomcat/server.xml | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/container_files/tomcat/server.xml b/container_files/tomcat/server.xml
index 36a4e81..c2d61d3 100644
--- a/container_files/tomcat/server.xml
+++ b/container_files/tomcat/server.xml
@@ -4,12 +4,18 @@
   <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
 
   <Service name="Catalina">
-<Connector
+
+    <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
-          scheme="https" secure="true" SSLEnabled="true"
-          keystoreFile="/opt/certs/keystore.jks" keystorePass="password"
-          clientAuth="false" sslProtocol="TLS"/>
+          scheme="https" secure="true" SSLEnabled="true">
+      <SSLHostConfig protocols="TLSv1.2">
+        <Certificate
+          certificateKeystoreFile="/opt/certs/keystore.jks" 
+          certificateKeystorePassword="password" />
+      </SSLHostConfig>
+    </Connector>
+
     <Engine name="Catalina" defaultHost="localhost">
 
       <Host name="localhost"  appBase="webapps"

From 40713b4bf7190ce2c48754c1e5ae070572541016 Mon Sep 17 00:00:00 2001
From: Terry Fleury <tfleury@illinois.edu>
Date: Mon, 1 Feb 2021 15:48:50 -0600
Subject: [PATCH 2/3] Also enable TLSv1.3.

---
 container_files/tomcat/server.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/container_files/tomcat/server.xml b/container_files/tomcat/server.xml
index c2d61d3..ad10359 100644
--- a/container_files/tomcat/server.xml
+++ b/container_files/tomcat/server.xml
@@ -9,7 +9,7 @@
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true">
-      <SSLHostConfig protocols="TLSv1.2">
+      <SSLHostConfig protocols="TLSv1.2,TLSv1.3">
         <Certificate
           certificateKeystoreFile="/opt/certs/keystore.jks" 
           certificateKeystorePassword="password" />

From 3cc7b384037cfef4c648c82f7aca274e46a9c4a8 Mon Sep 17 00:00:00 2001
From: Terry Fleury <tfleury@illinois.edu>
Date: Mon, 1 Feb 2021 16:18:41 -0600
Subject: [PATCH 3/3] Add ciphers as recommended by
 https://ssl-config.mozilla.org/ .

---
 container_files/tomcat/server.xml | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/container_files/tomcat/server.xml b/container_files/tomcat/server.xml
index ad10359..f25cad4 100644
--- a/container_files/tomcat/server.xml
+++ b/container_files/tomcat/server.xml
@@ -6,14 +6,19 @@
   <Service name="Catalina">
 
     <Connector
-          protocol="org.apache.coyote.http11.Http11NioProtocol"
-          port="443" maxThreads="200"
-          scheme="https" secure="true" SSLEnabled="true">
-      <SSLHostConfig protocols="TLSv1.2,TLSv1.3">
+        protocol="org.apache.coyote.http11.Http11NioProtocol"
+        port="443" maxThreads="200"
+        scheme="https" secure="true" SSLEnabled="true">
+      <SSLHostConfig
+          ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+          disableSessionTickets="true"
+          honorCipherOrder="false"
+          protocols="TLSv1.2,TLSv1.3">
         <Certificate
-          certificateKeystoreFile="/opt/certs/keystore.jks" 
-          certificateKeystorePassword="password" />
+            certificateKeystoreFile="/opt/certs/keystore.jks" 
+            certificateKeystorePassword="password" />
       </SSLHostConfig>
+      <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
     </Connector>
 
     <Engine name="Catalina" defaultHost="localhost">