Documentation for the APR connector says setting SSLProtocol="all" (the default) enables TLSv1+SSLv3, but actually enables TLSv1.1 and TLSv1.2 as well. However, it only seems to accept SSLProtocol strings that includes TLSv1, SSLv2, SSLv3 or their combinations. In other words, there doesn't seem to be a way to specify that you only want all 3 TLS versions and none of the SSL versions. Is there something I'm missing?
FYI: I checked Bugzilla on this, and there seems to be some work progressing on coding support, but it also interjected a regression to turn SSLv2 back on by default. The question is, if there is no current "magic string" that Tomcat will accept to enable full TLS support, is this something we will have to wait for 7.0.57 (and the equivalent 6 & 8 versions) to be able to address? Jeffrey Janner
