You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Brijesh Deo <bd...@SonicWALL.com> on 2013/03/05 07:09:55 UTC
How to allow only TLS 1.1 connections to Tomcat (6.0) server with
https ?
Hi,
Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.
Thanks in advance,
Brijesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: 06 March 2013 03:58
To: Tomcat Users List
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
2013/3/5 Brijesh Deo <bd...@sonicwall.com>:
> Hi,
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.
1. If you are brave enough to use Java 7, I would recommend to use
Tomcat 7.0 with it.
There was a number of fixes in Tomcat connectors to allow use of Java
7, e.g. in 6.0.34
2. If TLS 1.1 uses different ciphers, may be you can configure the
list of ciphers to be limited to those ones. (I have not tried, just
an idea).
3. Beware of issue 54406.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
Best regards,
Konstantin Kolinko
Thanks Konstantin. I am using Java 7 with Tomcat 6.0.32.
-Brijesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with
https ?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/3/5 Brijesh Deo <bd...@sonicwall.com>:
> Hi,
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.
1. If you are brave enough to use Java 7, I would recommend to use
Tomcat 7.0 with it.
There was a number of fixes in Tomcat connectors to allow use of Java
7, e.g. in 6.0.34
2. If TLS 1.1 uses different ciphers, may be you can configure the
list of ciphers to be limited to those ones. (I have not tried, just
an idea).
3. Beware of issue 54406.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Igor Cicimov [mailto:icicimov@gmail.com]
Sent: 05 March 2013 13:22
To: Tomcat Users List
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
On 05/03/2013 5:10 PM, "Brijesh Deo" <bd...@sonicwall.com> wrote:
>
> Hi,
> Is there a way to make TLS 1.1 required for https connection with Tomcat
server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried
setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml
but that did not stop TLS 1.0 connections from being accepted. I am not
using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0
to be able to allow only TLS 1.1 connections with https? Please let me know
how to do this.
You need java7 for tls1.1 and 1.2 as far as i know.
Thanks for the reply Igor. I already have Java 7.
-Brijesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Igor,
On 5.3.2013 8:51, Igor Cicimov wrote:
> You need java7 for tls1.1 and 1.2 as far as i know.
Java 6 supports up to TLSv1.1, and Java 7 up to TLSv1.2.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with
https ?
Posted by Igor Cicimov <ic...@gmail.com>.
On 05/03/2013 5:10 PM, "Brijesh Deo" <bd...@sonicwall.com> wrote:
>
> Hi,
> Is there a way to make TLS 1.1 required for https connection with Tomcat
server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried
setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml
but that did not stop TLS 1.0 connections from being accepted. I am not
using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0
to be able to allow only TLS 1.1 connections with https? Please let me know
how to do this.
You need java7 for tls1.1 and 1.2 as far as i know.
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Chris,
On 8.3.2013 1:25, Christopher Schultz wrote:
>> For Tomcat 6.0.36 it reports:
>>
>> Protocols TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3.0
>> Yes SSL 2.0 No
>>
>>
>> Tomcat 7.0.37:
>>
>> Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0
>> Yes SSL 2.0 No
>>
>>
>> I agree, it is strange.
>
> Hmm... I didn't notice any difference in code between Tomcat 6 and 7
> in this regard: maybe someone with a bit more knowledge than I can
> comment...
>
> Are you using APR or anything like that with Tomcat 7?
No I don't. I'm testing with out-of-the box BIO connector.
I found the reason for this behaviour, but I think it is better to move
discussion to dev list, so I'm starting a new thread there, with subject
"Tomcat 6 and Tomcat 7 enables different TLS protocols by default".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ognjen,
On 3/7/13 3:05 AM, Ognjen Blagojevic wrote:
> I am testing both Tomcat 6.0.36 and 7.0.37 with the same, Oracle,
> JDK 1.7.0_09, on Windows XP SP3.
>
> I just unpack zip ditribution, uncomment default HTTPS connector
> (with sslProtocol="TLS" already set), change port 8443 to 443, and
> test with:
>
> https://www.ssllabs.com/ssltest/
>
> For Tomcat 6.0.36 it reports:
>
> Protocols TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3.0
> Yes SSL 2.0 No
>
>
> Tomcat 7.0.37:
>
> Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0
> Yes SSL 2.0 No
>
>
> I agree, it is strange.
Hmm... I didn't notice any difference in code between Tomcat 6 and 7
in this regard: maybe someone with a bit more knowledge than I can
comment...
Are you using APR or anything like that with Tomcat 7?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlE5MAgACgkQ9CaO5/Lv0PDlSACgsY70AJdwwirvyRECtnV8fT4J
TQMAn1KwKfAyc8N9kc7Ll2SQtqcuNnS0
=LYLj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Chris,
On 7.3.2013 5:58, Christopher Schultz wrote:
>> Which behavior is right? I prefer how Tomcat 6 is interepreting
>> that attribute -- trying to enable best possible TLS protocol
>> versions available.
>>
>> OTOH, from Tomcat 7 documents it seems that the value of attribute
>> setProtocol is just passed to JSSE when creating SSLContext. I
>> assume that Tomcat 6 did some pre-processing before passing that
>> attribute to SSLContext.
>
> Are you sure it's not a JVM default and not Tomcat's default? Tomcat's
> default in both situations is "TLS" which may mean different things
> depending upon the JVM configuration.
I am testing both Tomcat 6.0.36 and 7.0.37 with the same, Oracle, JDK
1.7.0_09, on Windows XP SP3.
I just unpack zip ditribution, uncomment default HTTPS connector (with
sslProtocol="TLS" already set), change port 8443 to 443, and test with:
https://www.ssllabs.com/ssltest/
For Tomcat 6.0.36 it reports:
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3.0 Yes
SSL 2.0 No
Tomcat 7.0.37:
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3.0 Yes
SSL 2.0 No
I agree, it is strange.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ognjen,
On 3/6/13 2:51 AM, Ognjen Blagojevic wrote:
> Chris,
>
> On 6.3.2013 7:02, Christopher Schultz wrote:
>>> So in Tomcat 7 you might use:
>>>
>>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>>>
>>> and in Tomcat 6.0.32:
>>>
>>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>>>
>>>
>>> It works for me.
>>
>> Can you file a bug for this? That should be a) documented and b)
>> accept either "protocol" or "sslEnabledProtocols" to make it
>> line-up with Tomcat 7.0.
>
> Sure, I will. But, before I do, I just want to point out here to
> another issue:
>
> Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and
> Tomcat 7.0.37 comes pre-configured -- enables different groups of
> protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable
> SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable
> SSLv3 and TLSv1. This is counter-intuitive and might introduce
> problems when upgrading from Tomcat 6 to Tomcat 7.
>
> Which behavior is right? I prefer how Tomcat 6 is interepreting
> that attribute -- trying to enable best possible TLS protocol
> versions available.
>
> OTOH, from Tomcat 7 documents it seems that the value of attribute
> setProtocol is just passed to JSSE when creating SSLContext. I
> assume that Tomcat 6 did some pre-processing before passing that
> attribute to SSLContext.
Are you sure it's not a JVM default and not Tomcat's default? Tomcat's
default in both situations is "TLS" which may mean different things
depending upon the JVM configuration.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlE4HokACgkQ9CaO5/Lv0PDd4ACgkvVWVUFV9WmU48gzZbVuHk21
+LUAn3/eD+r/p9YRa24+zNCnSueAMoOf
=Dupb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Chris,
On 6.3.2013 7:02, Christopher Schultz wrote:
>> So in
>> Tomcat 7 you might use:
>>
>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>>
>> and in Tomcat 6.0.32:
>>
>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>>
>>
>> It works for me.
>
> Can you file a bug for this? That should be a) documented and b)
> accept either "protocol" or "sslEnabledProtocols" to make it line-up
> with Tomcat 7.0.
Sure, I will. But, before I do, I just want to point out here to another
issue:
Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and
Tomcat 7.0.37 comes pre-configured -- enables different groups of
protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3,
TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and
TLSv1. This is counter-intuitive and might introduce problems when
upgrading from Tomcat 6 to Tomcat 7.
Which behavior is right? I prefer how Tomcat 6 is interepreting that
attribute -- trying to enable best possible TLS protocol versions available.
OTOH, from Tomcat 7 documents it seems that the value of attribute
setProtocol is just passed to JSSE when creating SSLContext. I assume
that Tomcat 6 did some pre-processing before passing that attribute to
SSLContext.
WDYT?
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Chris,
On 6.3.2013 7:02, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>> It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions)
>> use undocumented attribute for HTTPS connector "protocols". So in
>> Tomcat 7 you might use:
>>
>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>>
>> and in Tomcat 6.0.32:
>>
>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>>
>>
>> It works for me.
>
> Can you file a bug for this? That should be a) documented and b)
> accept either "protocol" or "sslEnabledProtocols" to make it line-up
> with Tomcat 7.0.
Bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54691
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ognjen,
On 3/5/13 8:29 AM, Ognjen Blagojevic wrote:
> Brijesh,
>
> On 5.3.2013 11:47, Brijesh Deo wrote:
>> Thanks Ognjen. I tried with -Dhttps.protocols="TLSv1.1" in
>> Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks
>> like upgrading to Tomcat 7.0 seems to be the only way to achieve
>> this easily through configuration in server.xml.
>
> That was strange, so I started looking where Tomcat 6.0.32 sets
> enabled protocols. Here it is (JSSESocketFactory.java, lines
> 789-791):
>
> String requestedProtocols = (String) attributes.get("protocols");
> setEnabledProtocols(socket, getEnabledProtocols(socket,
> requestedProtocols));
>
> It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions)
> use undocumented attribute for HTTPS connector "protocols". So in
> Tomcat 7 you might use:
>
> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>
> and in Tomcat 6.0.32:
>
> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>
>
> It works for me.
Can you file a bug for this? That should be a) documented and b)
accept either "protocol" or "sslEnabledProtocols" to make it line-up
with Tomcat 7.0.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlE23AwACgkQ9CaO5/Lv0PBkQQCgv8Qe2hXUBFzEgdrid/xtxpVw
K9gAnRTfzcNp5yoJJhpHo2WlV3WpDQ8/
=5T/s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Brijesh,
On 5.3.2013 11:47, Brijesh Deo wrote:
> Thanks Ognjen. I tried with -Dhttps.protocols="TLSv1.1" in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml.
That was strange, so I started looking where Tomcat 6.0.32 sets enabled
protocols. Here it is (JSSESocketFactory.java, lines 789-791):
String requestedProtocols = (String) attributes.get("protocols");
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use
undocumented attribute for HTTPS connector "protocols". So in Tomcat 7
you might use:
sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
and in Tomcat 6.0.32:
sslProtocol="TLSv1.1" protocols="TLSv1.1"
It works for me.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
Sent: 05 March 2013 16:01
To: users@tomcat.apache.org
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Brijesh,
On 5.3.2013 10:11, Brijesh Deo wrote:
> Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute " sslEnabledProtocols" is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know.
Indeed, Tomcat 6 doesn't support HTTPS connector parameter
sslEnabledProtocols.
You could try to limit enabled protocols by adding system property
-Dhttps.protocols="TLSv1.1" in Tomcat startup. That might work for you,
but I didn't test it.
-Ognjen
Thanks Ognjen. I tried with -Dhttps.protocols="TLSv1.1" in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml.
Thanks again.
-Brijesh
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Brijesh,
On 5.3.2013 10:11, Brijesh Deo wrote:
> Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute " sslEnabledProtocols" is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know.
Indeed, Tomcat 6 doesn't support HTTPS connector parameter
sslEnabledProtocols.
You could try to limit enabled protocols by adding system property
-Dhttps.protocols="TLSv1.1" in Tomcat startup. That might work for you,
but I didn't test it.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
Sent: 05 March 2013 13:59
To: users@tomcat.apache.org
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Brijesh,
On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.
HTTPS connector parameter sslProtocol defines which SSL/TLS protocols
are enabled by default, e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
So, in order to restrict available protocols only to TLSv1.1, you need
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.
Note that even if some protocol is not enabled by default, you may
enable it by specifying sslEnabledProtocols parameter. E.g.
sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"
is somewhat confusing, but perfectly legal.
-Ognjen
Hi Ognjen,
Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute " sslEnabledProtocols" is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know.
Thanks,
Brijesh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server
with https ?
Posted by Ognjen Blagojevic <og...@gmail.com>.
Brijesh,
On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.
HTTPS connector parameter sslProtocol defines which SSL/TLS protocols
are enabled by default, e.g. for Oracle JDK 7:
1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work
So, in order to restrict available protocols only to TLSv1.1, you need
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.
Note that even if some protocol is not enabled by default, you may
enable it by specifying sslEnabledProtocols parameter. E.g.
sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"
is somewhat confusing, but perfectly legal.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org