Chuck,
On 8/9/23 13:58, SCHWING, CHUCK wrote:
I've looked for the answer to this online and maybe I didn't read closely
enough.
I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of
"-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS
version is defined in my server.xml in my SSLHostConfig:
sslProtocol="TLS"
protocols="TLSv1.2"
My question is: What's the precedence in play? Does catalina.sh override
server.xml or is it the other way around?
We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat
10 so support TLS1.2 and TLS1.3 while we're migrating.
The system property you have shown above does not affect the behavior of
Tomcat at all. This system property affects Java's built-in TLS *client*
when making /outgoing/ connections.
If you specify "TLSv1.2" and no other protocols, then you will not
enable TLSv1.3. You should specify:
protocols="TLSv1.3, TLSv1.2"
in your <SSLHostConfig> in order to enable TLSv1.3 and also accept
TLSv1.2. Note that for TLSv1.3 there are other requirements,
specifically a JVM with support if using JSSE or an OpenSSL
implementation with support if using OpenSSL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
