You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "SCHWING, CHUCK" <cs...@att.com> on 2023/08/09 17:58:05 UTC
Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Hi -
I've looked for the answer to this online and maybe I didn't read closely enough.
I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS version is defined in my server.xml in my SSLHostConfig:
sslProtocol="TLS"
protocols="TLSv1.2"
My question is: What's the precedence in play? Does catalina.sh override server.xml or is it the other way around?
We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
Thanks in advance,
--ccs cs3768@att.com<ma...@att.com>
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Posted by Brandie Nickey-External <br...@regeneron.com.INVALID>.
Thank you!
Regeneron - Internal Use Only
-----Original Message-----
From: Thomas Hoffmann (Speed4Trade GmbH) <Th...@speed4trade.com.INVALID>
Sent: Thursday, August 10, 2023 11:21 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: [External] AW: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
EXTERNAL MESSAGE
_________________________________________________________________
EXTERNAL MESSAGE
Hello Bradle,
> -----Ursprüngliche Nachricht-----
> Von: Brandie Nickey-External <br...@regeneron.com.INVALID>
> Gesendet: Donnerstag, 10. August 2023 18:20
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs
> server.xml options
>
> Hi all,
>
> Spying on this thread and have a little confusion. For me tomcat is running on a
> windows server and I wasn't able to find a Catalina.sh. I do have a Catalina.bat
> though....does anyone know if this is supposed to be the equivalent to
> the .sh file , just for Windows?
>
> Thanks,
> Brandie
In general, yes. Just replace .sh with .bat on windows and you are good to go.
>
> Regeneron - Internal Use Only
>
> -----Original Message-----
> From: SCHWING, CHUCK <cs...@att.com>
> Sent: Thursday, August 10, 2023 4:59 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm
> Options vs server.xml options
>
> EXTERNAL MESSAGE
> ________________________________________________________________
> _
>
>
>
>
> EXTERNAL MESSAGE
>
>
>
>
> Chris --
>
> Many thanks for the clarification. I missed the "client" in the
> jdk.tls.client.protocols jvm arg.
>
> Regards,
> --ccs
>
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, August 10, 2023 2:04 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs
> server.xml options
>
> Chuck,
>
> On 8/9/23 13:58, SCHWING, CHUCK wrote:
> > I've looked for the answer to this online and maybe I didn't read
> > closely
> enough.
> > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm
> > startup option
> of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and
> the same TLS version is defined in my server.xml in my SSLHostConfig:
> > sslProtocol="TLS"
> > protocols="TLSv1.2"
> >
> > My question is: What's the precedence in play? Does catalina.sh
> > override
> server.xml or is it the other way around?
> >
> > We need to migrate to TLS1.3 and we're wondering how best to
> > configure
> Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
>
> The system property you have shown above does not affect the behavior
> of Tomcat at all. This system property affects Java's built-in TLS
> *client* when making /outgoing/ connections.
>
> If you specify "TLSv1.2" and no other protocols, then you will not
> enable TLSv1.3. You should specify:
>
> protocols="TLSv1.3, TLSv1.2"
>
> in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2.
> Note that for TLSv1.3 there are other requirements, specifically a JVM
> with support if using JSSE or an OpenSSL implementation with support
> if using OpenSSL.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ****************************************************************
> ****
> This e-mail and any attachment hereto, is intended only for use by the
> addressee(s) named above and may contain legally privileged and/or
> confidential information. If you are not the intended recipient of
> this e-mail, any dissemination, distribution or copying of this email,
> or any attachment hereto, is strictly prohibited. If you receive this
> email in error please immediately notify me by return electronic mail
> and permanently delete this email and any attachment hereto, any copy
> of this e-mail and of any such attachment, and any printout thereof.
> Finally, please note that only authorized representatives of Regeneron
> Pharmaceuticals, Inc. have the power and authority to enter into business dealings with any third party.
> ****************************************************************
> ****
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
********************************************************************
This e-mail and any attachment hereto, is intended only for use by the addressee(s) named above and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, any dissemination, distribution or copying of this email, or any attachment hereto, is strictly prohibited. If you receive this email in error please immediately notify me by return electronic mail and permanently delete this email and any attachment hereto, any copy of this e-mail and of any such attachment, and any printout thereof. Finally, please note that only authorized representatives of Regeneron Pharmaceuticals, Inc. have the power and authority to enter into business dealings with any third party.
********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Bradle,
> -----Ursprüngliche Nachricht-----
> Von: Brandie Nickey-External <br...@regeneron.com.INVALID>
> Gesendet: Donnerstag, 10. August 2023 18:20
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml
> options
>
> Hi all,
>
> Spying on this thread and have a little confusion. For me tomcat is running on a
> windows server and I wasn't able to find a Catalina.sh. I do have a Catalina.bat
> though....does anyone know if this is supposed to be the equivalent to the .sh
> file , just for Windows?
>
> Thanks,
> Brandie
In general, yes. Just replace .sh with .bat on windows and you are good to go.
>
> Regeneron - Internal Use Only
>
> -----Original Message-----
> From: SCHWING, CHUCK <cs...@att.com>
> Sent: Thursday, August 10, 2023 4:59 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs
> server.xml options
>
> EXTERNAL MESSAGE
> ________________________________________________________________
> _
>
>
>
>
> EXTERNAL MESSAGE
>
>
>
>
> Chris --
>
> Many thanks for the clarification. I missed the "client" in the
> jdk.tls.client.protocols jvm arg.
>
> Regards,
> --ccs
>
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, August 10, 2023 2:04 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml
> options
>
> Chuck,
>
> On 8/9/23 13:58, SCHWING, CHUCK wrote:
> > I've looked for the answer to this online and maybe I didn't read closely
> enough.
> > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option
> of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same
> TLS version is defined in my server.xml in my SSLHostConfig:
> > sslProtocol="TLS"
> > protocols="TLSv1.2"
> >
> > My question is: What's the precedence in play? Does catalina.sh override
> server.xml or is it the other way around?
> >
> > We need to migrate to TLS1.3 and we're wondering how best to configure
> Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
>
> The system property you have shown above does not affect the behavior of
> Tomcat at all. This system property affects Java's built-in TLS *client* when
> making /outgoing/ connections.
>
> If you specify "TLSv1.2" and no other protocols, then you will not enable
> TLSv1.3. You should specify:
>
> protocols="TLSv1.3, TLSv1.2"
>
> in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2.
> Note that for TLSv1.3 there are other requirements, specifically a JVM with
> support if using JSSE or an OpenSSL implementation with support if using
> OpenSSL.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ****************************************************************
> ****
> This e-mail and any attachment hereto, is intended only for use by the
> addressee(s) named above and may contain legally privileged and/or
> confidential information. If you are not the intended recipient of this e-mail,
> any dissemination, distribution or copying of this email, or any attachment
> hereto, is strictly prohibited. If you receive this email in error please
> immediately notify me by return electronic mail and permanently delete this
> email and any attachment hereto, any copy of this e-mail and of any such
> attachment, and any printout thereof. Finally, please note that only authorized
> representatives of Regeneron Pharmaceuticals, Inc. have the power and
> authority to enter into business dealings with any third party.
> ****************************************************************
> ****
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Posted by Brandie Nickey-External <br...@regeneron.com.INVALID>.
Hi all,
Spying on this thread and have a little confusion. For me tomcat is running on a windows server and I wasn't able to find a Catalina.sh. I do have a Catalina.bat though....does anyone know if this is supposed to be the equivalent to the .sh file , just for Windows?
Thanks,
Brandie
Regeneron - Internal Use Only
-----Original Message-----
From: SCHWING, CHUCK <cs...@att.com>
Sent: Thursday, August 10, 2023 4:59 AM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
EXTERNAL MESSAGE
_________________________________________________________________
EXTERNAL MESSAGE
Chris --
Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg.
Regards,
--ccs
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, August 10, 2023 2:04 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Chuck,
On 8/9/23 13:58, SCHWING, CHUCK wrote:
> I've looked for the answer to this online and maybe I didn't read closely enough.
> I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS version is defined in my server.xml in my SSLHostConfig:
> sslProtocol="TLS"
> protocols="TLSv1.2"
>
> My question is: What's the precedence in play? Does catalina.sh override server.xml or is it the other way around?
>
> We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections.
If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify:
protocols="TLSv1.3, TLSv1.2"
in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
********************************************************************
This e-mail and any attachment hereto, is intended only for use by the addressee(s) named above and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, any dissemination, distribution or copying of this email, or any attachment hereto, is strictly prohibited. If you receive this email in error please immediately notify me by return electronic mail and permanently delete this email and any attachment hereto, any copy of this e-mail and of any such attachment, and any printout thereof. Finally, please note that only authorized representatives of Regeneron Pharmaceuticals, Inc. have the power and authority to enter into business dealings with any third party.
********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Posted by "SCHWING, CHUCK" <cs...@att.com>.
Chris --
Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg.
Regards,
--ccs
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, August 10, 2023 2:04 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Chuck,
On 8/9/23 13:58, SCHWING, CHUCK wrote:
> I've looked for the answer to this online and maybe I didn't read closely enough.
> I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS version is defined in my server.xml in my SSLHostConfig:
> sslProtocol="TLS"
> protocols="TLSv1.2"
>
> My question is: What's the precedence in play? Does catalina.sh override server.xml or is it the other way around?
>
> We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections.
If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify:
protocols="TLSv1.3, TLSv1.2"
in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Chuck,
On 8/9/23 13:58, SCHWING, CHUCK wrote:
> I've looked for the answer to this online and maybe I didn't read closely enough.
> I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS version is defined in my server.xml in my SSLHostConfig:
> sslProtocol="TLS"
> protocols="TLSv1.2"
>
> My question is: What's the precedence in play? Does catalina.sh override server.xml or is it the other way around?
>
> We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating.
The system property you have shown above does not affect the behavior of
Tomcat at all. This system property affects Java's built-in TLS *client*
when making /outgoing/ connections.
If you specify "TLSv1.2" and no other protocols, then you will not
enable TLSv1.3. You should specify:
protocols="TLSv1.3, TLSv1.2"
in your <SSLHostConfig> in order to enable TLSv1.3 and also accept
TLSv1.2. Note that for TLSv1.3 there are other requirements,
specifically a JVM with support if using JSSE or an OpenSSL
implementation with support if using OpenSSL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org