Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Chris, On 6.3.2013 7:02, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use undocumented attribute for HTTPS connector protocols. So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. Can you file a bug for this? That should be a) documented and b) accept either protocol or sslEnabledProtocols to make it line-up with Tomcat 7.0. Bug report: https://issues.apache.org/bugzilla/show_bug.cgi?id=54691 -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Chris, On 8.3.2013 1:25, Christopher Schultz wrote: For Tomcat 6.0.36 it reports: Protocols TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No Tomcat 7.0.37: Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No I agree, it is strange. Hmm... I didn't notice any difference in code between Tomcat 6 and 7 in this regard: maybe someone with a bit more knowledge than I can comment... Are you using APR or anything like that with Tomcat 7? No I don't. I'm testing with out-of-the box BIO connector. I found the reason for this behaviour, but I think it is better to move discussion to dev list, so I'm starting a new thread there, with subject Tomcat 6 and Tomcat 7 enables different TLS protocols by default. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Chris, On 7.3.2013 5:58, Christopher Schultz wrote: Which behavior is right? I prefer how Tomcat 6 is interepreting that attribute -- trying to enable best possible TLS protocol versions available. OTOH, from Tomcat 7 documents it seems that the value of attribute setProtocol is just passed to JSSE when creating SSLContext. I assume that Tomcat 6 did some pre-processing before passing that attribute to SSLContext. Are you sure it's not a JVM default and not Tomcat's default? Tomcat's default in both situations is TLS which may mean different things depending upon the JVM configuration. I am testing both Tomcat 6.0.36 and 7.0.37 with the same, Oracle, JDK 1.7.0_09, on Windows XP SP3. I just unpack zip ditribution, uncomment default HTTPS connector (with sslProtocol=TLS already set), change port 8443 to 443, and test with: https://www.ssllabs.com/ssltest/ For Tomcat 6.0.36 it reports: Protocols TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No Tomcat 7.0.37: Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No I agree, it is strange. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 3/7/13 3:05 AM, Ognjen Blagojevic wrote: I am testing both Tomcat 6.0.36 and 7.0.37 with the same, Oracle, JDK 1.7.0_09, on Windows XP SP3. I just unpack zip ditribution, uncomment default HTTPS connector (with sslProtocol=TLS already set), change port 8443 to 443, and test with: https://www.ssllabs.com/ssltest/ For Tomcat 6.0.36 it reports: Protocols TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No Tomcat 7.0.37: Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No I agree, it is strange. Hmm... I didn't notice any difference in code between Tomcat 6 and 7 in this regard: maybe someone with a bit more knowledge than I can comment... Are you using APR or anything like that with Tomcat 7? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlE5MAgACgkQ9CaO5/Lv0PDlSACgsY70AJdwwirvyRECtnV8fT4J TQMAn1KwKfAyc8N9kc7Ll2SQtqcuNnS0 =LYLj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Chris, On 6.3.2013 7:02, Christopher Schultz wrote: So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. Can you file a bug for this? That should be a) documented and b) accept either protocol or sslEnabledProtocols to make it line-up with Tomcat 7.0. Sure, I will. But, before I do, I just want to point out here to another issue: Attribute setProtocol=TLS -- which is how both Tomcat 6.0.36 and Tomcat 7.0.37 comes pre-configured -- enables different groups of protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and TLSv1. This is counter-intuitive and might introduce problems when upgrading from Tomcat 6 to Tomcat 7. Which behavior is right? I prefer how Tomcat 6 is interepreting that attribute -- trying to enable best possible TLS protocol versions available. OTOH, from Tomcat 7 documents it seems that the value of attribute setProtocol is just passed to JSSE when creating SSLContext. I assume that Tomcat 6 did some pre-processing before passing that attribute to SSLContext. WDYT? -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 3/6/13 2:51 AM, Ognjen Blagojevic wrote: Chris, On 6.3.2013 7:02, Christopher Schultz wrote: So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. Can you file a bug for this? That should be a) documented and b) accept either protocol or sslEnabledProtocols to make it line-up with Tomcat 7.0. Sure, I will. But, before I do, I just want to point out here to another issue: Attribute setProtocol=TLS -- which is how both Tomcat 6.0.36 and Tomcat 7.0.37 comes pre-configured -- enables different groups of protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and TLSv1. This is counter-intuitive and might introduce problems when upgrading from Tomcat 6 to Tomcat 7. Which behavior is right? I prefer how Tomcat 6 is interepreting that attribute -- trying to enable best possible TLS protocol versions available. OTOH, from Tomcat 7 documents it seems that the value of attribute setProtocol is just passed to JSSE when creating SSLContext. I assume that Tomcat 6 did some pre-processing before passing that attribute to SSLContext. Are you sure it's not a JVM default and not Tomcat's default? Tomcat's default in both situations is TLS which may mean different things depending upon the JVM configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlE4HokACgkQ9CaO5/Lv0PDd4ACgkvVWVUFV9WmU48gzZbVuHk21 +LUAn3/eD+r/p9YRa24+zNCnSueAMoOf =Dupb -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Brijesh, On 5.3.2013 7:09, Brijesh Deo wrote: Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are enabled by default, e.g. for Oracle JDK 7: 1) setProtocol=TLS will enable SSLv3 and TLSv1 2) setProtocol=TLSv1.2 will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2 3) setProtocol=TLSv1.1 will enable SSLv3, TLSv1, and TLSv1.1 4) setProtocol=TLSv1 will enable SSLv3 and TLSv1 5) setProtocol=SSL will enable SSLv3 and TLSv1 6) setProtocol=SSLv3 will enable SSLv3 and TLSv1 7) setProtocol=SSLv2 won't work So, in order to restrict available protocols only to TLSv1.1, you need to add parameter sslEnabledProtocols=TLSv1.1 to your connector. Note that even if some protocol is not enabled by default, you may enable it by specifying sslEnabledProtocols parameter. E.g. sslProtocol=SSL sslEnabledProtocols=TLSv1.1 is somewhat confusing, but perfectly legal. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Igor, On 5.3.2013 8:51, Igor Cicimov wrote: You need java7 for tls1.1 and 1.2 as far as i know. Java 6 supports up to TLSv1.1, and Java 7 up to TLSv1.2. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: 05 March 2013 13:59 To: users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? Brijesh, On 5.3.2013 7:09, Brijesh Deo wrote: Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are enabled by default, e.g. for Oracle JDK 7: 1) setProtocol=TLS will enable SSLv3 and TLSv1 2) setProtocol=TLSv1.2 will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2 3) setProtocol=TLSv1.1 will enable SSLv3, TLSv1, and TLSv1.1 4) setProtocol=TLSv1 will enable SSLv3 and TLSv1 5) setProtocol=SSL will enable SSLv3 and TLSv1 6) setProtocol=SSLv3 will enable SSLv3 and TLSv1 7) setProtocol=SSLv2 won't work So, in order to restrict available protocols only to TLSv1.1, you need to add parameter sslEnabledProtocols=TLSv1.1 to your connector. Note that even if some protocol is not enabled by default, you may enable it by specifying sslEnabledProtocols parameter. E.g. sslProtocol=SSL sslEnabledProtocols=TLSv1.1 is somewhat confusing, but perfectly legal. -Ognjen Hi Ognjen, Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute sslEnabledProtocols is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know. Thanks, Brijesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Brijesh, On 5.3.2013 10:11, Brijesh Deo wrote: Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute sslEnabledProtocols is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know. Indeed, Tomcat 6 doesn't support HTTPS connector parameter sslEnabledProtocols. You could try to limit enabled protocols by adding system property -Dhttps.protocols=TLSv1.1 in Tomcat startup. That might work for you, but I didn't test it. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-Original Message- From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] Sent: 05 March 2013 16:01 To: users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? Brijesh, On 5.3.2013 10:11, Brijesh Deo wrote: Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute sslEnabledProtocols is supported in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let me know. Indeed, Tomcat 6 doesn't support HTTPS connector parameter sslEnabledProtocols. You could try to limit enabled protocols by adding system property -Dhttps.protocols=TLSv1.1 in Tomcat startup. That might work for you, but I didn't test it. -Ognjen Thanks Ognjen. I tried with -Dhttps.protocols=TLSv1.1 in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml. Thanks again. -Brijesh
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Brijesh, On 5.3.2013 11:47, Brijesh Deo wrote: Thanks Ognjen. I tried with -Dhttps.protocols=TLSv1.1 in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml. That was strange, so I started looking where Tomcat 6.0.32 sets enabled protocols. Here it is (JSSESocketFactory.java, lines 789-791): String requestedProtocols = (String) attributes.get(protocols); setEnabledProtocols(socket, getEnabledProtocols(socket, requestedProtocols)); It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use undocumented attribute for HTTPS connector protocols. So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Thanks a lot Ognjen for looking into this so extensively. I think I had tried this combination - sslProtocol=SSL and protocols=TLSv1.1. I will try again with both being TLSv1.1 and then I think it would work. Thanks again, Brijesh Sent from Samsung Mobile Original message From: Ognjen Blagojevic ognjen.d.blagoje...@gmail.com Date: 05/03/2013 20:00 (GMT+05:30) To: Tomcat Users List users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? Brijesh, On 5.3.2013 11:47, Brijesh Deo wrote: Thanks Ognjen. I tried with -Dhttps.protocols=TLSv1.1 in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml. That was strange, so I started looking where Tomcat 6.0.32 sets enabled protocols. Here it is (JSSESocketFactory.java, lines 789-791): String requestedProtocols = (String) attributes.get(protocols); setEnabledProtocols(socket, getEnabledProtocols(socket, requestedProtocols)); It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use undocumented attribute for HTTPS connector protocols. So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
2013/3/5 Brijesh Deo b...@sonicwall.com: Hi, Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. 1. If you are brave enough to use Java 7, I would recommend to use Tomcat 7.0 with it. There was a number of fixes in Tomcat connectors to allow use of Java 7, e.g. in 6.0.34 2. If TLS 1.1 uses different ciphers, may be you can configure the list of ciphers to be limited to those ones. (I have not tried, just an idea). 3. Beware of issue 54406. https://issues.apache.org/bugzilla/show_bug.cgi?id=54406 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: 06 March 2013 03:58 To: Tomcat Users List Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? 2013/3/5 Brijesh Deo b...@sonicwall.com: Hi, Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. 1. If you are brave enough to use Java 7, I would recommend to use Tomcat 7.0 with it. There was a number of fixes in Tomcat connectors to allow use of Java 7, e.g. in 6.0.34 2. If TLS 1.1 uses different ciphers, may be you can configure the list of ciphers to be limited to those ones. (I have not tried, just an idea). 3. Beware of issue 54406. https://issues.apache.org/bugzilla/show_bug.cgi?id=54406 Best regards, Konstantin Kolinko Thanks Konstantin. I am using Java 7 with Tomcat 6.0.32. -Brijesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 3/5/13 8:29 AM, Ognjen Blagojevic wrote: Brijesh, On 5.3.2013 11:47, Brijesh Deo wrote: Thanks Ognjen. I tried with -Dhttps.protocols=TLSv1.1 in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml. That was strange, so I started looking where Tomcat 6.0.32 sets enabled protocols. Here it is (JSSESocketFactory.java, lines 789-791): String requestedProtocols = (String) attributes.get(protocols); setEnabledProtocols(socket, getEnabledProtocols(socket, requestedProtocols)); It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use undocumented attribute for HTTPS connector protocols. So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. Can you file a bug for this? That should be a) documented and b) accept either protocol or sslEnabledProtocols to make it line-up with Tomcat 7.0. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlE23AwACgkQ9CaO5/Lv0PBkQQCgv8Qe2hXUBFzEgdrid/xtxpVw K9gAnRTfzcNp5yoJJhpHo2WlV3WpDQ8/ =5T/s -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Thanks a lot Ognjen for looking into this so extensively. I think I had tried this combination - sslProtocol=SSL and protocols=TLSv1.1. I will try again with both being TLSv1.1 and then I think it would work. Thanks again, Brijesh Sent from Samsung Mobile Original message From: Ognjen Blagojevic ognjen.d.blagoje...@gmail.com Date: 05/03/2013 20:00 (GMT+05:30) To: Tomcat Users List users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? Brijesh, On 5.3.2013 11:47, Brijesh Deo wrote: Thanks Ognjen. I tried with -Dhttps.protocols=TLSv1.1 in Tomcat startup but even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0 seems to be the only way to achieve this easily through configuration in server.xml. That was strange, so I started looking where Tomcat 6.0.32 sets enabled protocols. Here it is (JSSESocketFactory.java, lines 789-791): String requestedProtocols = (String) attributes.get(protocols); setEnabledProtocols(socket, getEnabledProtocols(socket, requestedProtocols)); It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use undocumented attribute for HTTPS connector protocols. So in Tomcat 7 you might use: sslProtocol=TLSv1.1 sslEnabledProtocols=TLSv1.1 and in Tomcat 6.0.32: sslProtocol=TLSv1.1 protocols=TLSv1.1 It works for me. -Ognjen I tried and it works for me too with [sslProtocol=TLSv1.1 protocols=TLSv1.1] in the connector definition in server.xml. Thanks a lot. Regards, Brijesh
How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Hi, Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. Thanks in advance, Brijesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
On 05/03/2013 5:10 PM, Brijesh Deo b...@sonicwall.com wrote: Hi, Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. You need java7 for tls1.1 and 1.2 as far as i know.
RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
-Original Message- From: Igor Cicimov [mailto:icici...@gmail.com] Sent: 05 March 2013 13:22 To: Tomcat Users List Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? On 05/03/2013 5:10 PM, Brijesh Deo b...@sonicwall.com wrote: Hi, Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol=TLSv1.1] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. You need java7 for tls1.1 and 1.2 as far as i know. Thanks for the reply Igor. I already have Java 7. -Brijesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org