RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Thank you! Regeneron - Internal Use Only -Original Message- From: Thomas Hoffmann (Speed4Trade GmbH) Sent: Thursday, August 10, 2023 11:21 PM To: Tomcat Users List Subject: [External] AW: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options EXTERNAL MESSAGE _ EXTERNAL MESSAGE Hello Bradle, > -Ursprüngliche Nachricht- > Von: Brandie Nickey-External > Gesendet: Donnerstag, 10. August 2023 18:20 > An: Tomcat Users List > Betreff: RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs > server.xml options > > Hi all, > > Spying on this thread and have a little confusion. For me tomcat is running > on a > windows server and I wasn't able to find a Catalina.sh. I do have a > Catalina.bat > thoughdoes anyone know if this is supposed to be the equivalent to > the .sh file , just for Windows? > > Thanks, > Brandie In general, yes. Just replace .sh with .bat on windows and you are good to go. > > Regeneron - Internal Use Only > > -Original Message- > From: SCHWING, CHUCK > Sent: Thursday, August 10, 2023 4:59 AM > To: Tomcat Users List > Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm > Options vs server.xml options > > EXTERNAL MESSAGE > > _ > > > > > EXTERNAL MESSAGE > > > > > Chris -- > > Many thanks for the clarification. I missed the "client" in the > jdk.tls.client.protocols jvm arg. > > Regards, > --ccs > > -Original Message- > From: Christopher Schultz > Sent: Thursday, August 10, 2023 2:04 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs > server.xml options > > Chuck, > > On 8/9/23 13:58, SCHWING, CHUCK wrote: > > I've looked for the answer to this online and maybe I didn't read > > closely > enough. > > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm > > startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and > the same TLS version is defined in my server.xml in my SSLHostConfig: > > sslProtocol="TLS" > > protocols="TLSv1.2" > > > > My question is: What's the precedence in play? Does catalina.sh > > override > server.xml or is it the other way around? > > > > We need to migrate to TLS1.3 and we're wondering how best to > > configure > Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating. > > The system property you have shown above does not affect the behavior > of Tomcat at all. This system property affects Java's built-in TLS > *client* when making /outgoing/ connections. > > If you specify "TLSv1.2" and no other protocols, then you will not > enable TLSv1.3. You should specify: > >protocols="TLSv1.3, TLSv1.2" > > in your in order to enable TLSv1.3 and also accept TLSv1.2. > Note that for TLSv1.3 there are other requirements, specifically a JVM > with support if using JSSE or an OpenSSL implementation with support > if using OpenSSL. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > This e-mail and any attachment hereto, is intended only for use by the > addressee(s) named above and may contain legally privileged and/or > confidential information. If you are not the intended recipient of > this e-mail, any dissemination, distribution or copying of this email, > or any attachment hereto, is strictly prohibited. If you receive this > email in error please immediately notify me by return electronic mail > and permanently delete this email and any attachment hereto, any copy > of this e-mail and of any such attachment, and any printout thereof. > Finally, please note that only authorized representatives of Regeneron > Pharmaceuticals, Inc. have the power and authority to enter into business > dealings with any third party. > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Hi all, Spying on this thread and have a little confusion. For me tomcat is running on a windows server and I wasn't able to find a Catalina.sh. I do have a Catalina.bat thoughdoes anyone know if this is supposed to be the equivalent to the .sh file , just for Windows? Thanks, Brandie Regeneron - Internal Use Only -Original Message- From: SCHWING, CHUCK Sent: Thursday, August 10, 2023 4:59 AM To: Tomcat Users List Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options EXTERNAL MESSAGE _ EXTERNAL MESSAGE Chris -- Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg. Regards, --ccs -Original Message- From: Christopher Schultz Sent: Thursday, August 10, 2023 2:04 AM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: > I've looked for the answer to this online and maybe I didn't read closely > enough. > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the > same TLS version is defined in my server.xml in my SSLHostConfig: > sslProtocol="TLS" > protocols="TLSv1.2" > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat > 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail and any attachment hereto, is intended only for use by the addressee(s) named above and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, any dissemination, distribution or copying of this email, or any attachment hereto, is strictly prohibited. If you receive this email in error please immediately notify me by return electronic mail and permanently delete this email and any attachment hereto, any copy of this e-mail and of any such attachment, and any printout thereof. Finally, please note that only authorized representatives of Regeneron Pharmaceuticals, Inc. have the power and authority to enter into business dealings with any third party. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Chris -- Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg. Regards, --ccs -Original Message- From: Christopher Schultz Sent: Thursday, August 10, 2023 2:04 AM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: > I've looked for the answer to this online and maybe I didn't read closely > enough. > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the > same TLS version is defined in my server.xml in my SSLHostConfig: > sslProtocol="TLS" > protocols="TLSv1.2" > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat > 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: I've looked for the answer to this online and maybe I didn't read closely enough. I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same TLS version is defined in my server.xml in my SSLHostConfig: sslProtocol="TLS" protocols="TLSv1.2" My question is: What's the precedence in play? Does catalina.sh override server.xml or is it the other way around? We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
