On 16/10/2014 23:59, Jason Schwanz wrote:
> Cut from server.xml
> ==============
> <Connector SSLEnabled="true" URIEncoding="UTF-8"
> acceptCount="100"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
> clientAuth="false"
> compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/pdf,application/vnd.ms-excel"
> compression="on" compressionMinSize="2048"
> connectionTimeout="60000" disableUploadTimeout="false"
> enableLookups="false"
> keystoreFile="keystore"
> keystorePass="password" maxHttpHeaderSize="8192"
> maxSpareThreads="25" maxThreads="150" minSpareThreads="5"
> noCompressionUserAgents="gozilla, traviata" port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> proxyName="example.com" proxyPort="443"
> scheme="https" secure="true"
> server="example" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" />
>
> From catalina.out
> ==============
> Oct 16, 2014 5:16:42 AM org.apache.catalina.core.AprLifecycleListener init
> INFO: The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path:
> /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/l
> ib
> Oct 16, 2014 5:16:42 AM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '25' did not find a matching property.
> Oct 16, 2014 5:16:42 AM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'minSpareThreads' to '5' did not find a matching property.
> Oct 16, 2014 5:16:42 AM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslEnabledProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching
> property.
> Oct 16, 2014 5:16:43 AM org.apache.tomcat.util.net.NioSelectorPool
> getSharedSelector
> INFO: Using a shared selector for servlet write/read
> Oct 16, 2014 5:16:43 AM org.apache.coyote.http11.Http11NioProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8443
> Oct 16, 2014 5:16:43 AM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 1270 ms
> Oct 16, 2014 5:16:43 AM org.apache.catalina.core.StandardService start
> INFO: Starting service Catalina
> Oct 16, 2014 5:16:43 AM org.apache.catalina.core.StandardEngine start
> INFO: Starting Servlet Engine: Apache Tomcat/6.0.41
OK, so you are using the NIO HTTPS connector.
The config setting is correct according to the docs.
The code that handles this is a mess that I was already starting to dig
into with a view to disabling SSLv3 by default. BIO does this one way,
NIO does this another and it looks like the code to handle the BIO
setting is stomping on the setting when trying to use NIO. The short
version is that I don't see a way to set sslEnabledProtocols for NIO
HTTPS that will actually work.
Setting sslProtocol seems to have zero effect on the protocol versions
available.
I'll re-open your bug report and add the specifics about this scenario.
Getting this fixed and into the next 6.0.x release is currently top of
my TODO list.
Mark
>
>
> -----
> Jason Schwanz
> 503/887-4563
>
> On Thu, Oct 16, 2014 at 3:53 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 16/10/2014 23:46, Jason Schwanz wrote:
>>> I'm attempting to disable SSLv3 by specifying
>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
>>> in my HTTP connector, but it is not disabling it. Looking at
>> catalina.out I
>>> see this logged warning:
>>>
>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>> property
>>> 'sslEnabledProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching
>>> property.
>>>
>>> The host is running tomcat 6.0.41 with Java 7u65.
>>
>> And your connector configuration is ... ?
>>
>> The rest of the log shows ... ?
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
