Am 06.03.20 um 15:41 schrieb Christopher Schultz: > Markus, > > On 3/5/20 13:44, i...@flyingfischer.ch wrote: > > Try SSLProtocol="TLSv1.2" (mind the case) instead of > > sslProtocol="-all +TLSv1.2". > > This is correct when using either OpenSSL or JSSE. "sslProtocol" will > only work for JSSE configuration, and basically only allows a single > value: "TLS". > > It's better to use <SSLHostConfig> where it's always just "protocols". > > > Had this issue too. The connector parameters for SSL are a huge > > mess and have been changed constantly. > > Really? Can you give an example? Other than the change from > <Connector> to <SSLHostConfig>, everything has been pretty stable for > ... decades. > > -chris > Well, yes. If I remember correctly this was:
<Connector port="443" URIEncoding="UTF-8" server="Apache" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/keystore.jks" keyAlias="aliasName" keystorePass="*****" clientAuth="false" sslProtocol="TLSv1.2, TLSv1.3" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" overheadDataThreshold="0" /> </Connector> Server is also built with TC native. Always using latest stable version of TC 8.5. OpenJDK 64-Bit Server VM Zulu13.29+9-CA (build 13.0.2+6-MTS, mixed mode, sharing). Chrome could not cope with HTTP2 with this configuration. So I switched back to HTTP1.1 <Connector port="443" URIEncoding="UTF-8" server="Apache" protocol="HTTP/1.1" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/keystore.jks" keyAlias="aliasName" keystorePass="*****" clientAuth="false" SSLProtocol="TLSv1.2+TLSv1.3" > </Connector> TLSv1.2 only started to work after correcting sslProtocol to SSLProtocol. Best Markus --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
