This looks like a cipher, not an alias TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256
Dream * Excel * Explore * Inspire Jon McAlexander Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: James H. H. Lampert <jam...@touchtonecorp.com> Sent: Friday, July 17, 2020 3:47 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Problem with protocols, Re: SSL/TLS issue: can we listen on more than one secured port, with different protocols enabled? Running two connectors seems to work just fine, but I'm having trouble getting one of them to only take TLS 1.2 In reply to my query: >> Given all this, is it possible to (1) have Tomcat listen on two >> separate HTTPS ports, and (2) have one of the ports require TLS 1.2, >> but the other accept something our AS/400 can use? On 7/17/20 10:03 AM, Mark Thomas wrote: > Yes. You need two Connector elements specifying different ports and > different protocols. They should be able to use the same certificate > configuration. I just ran a test on our development Amazon EC2 instance, and verified that I could listen on two different ports (existing 8443 and now 7443), and I limited (or so I thought) 8443 (to which I have 443 rerouted through iptables) to TLS 1.2. Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! I commented out the connector for 8443 and restarted Tomcat, but it's still giving the same report from SSLLabs. The connector for 8443 in server.xml looks like this (lines truncated): > <Connector port="8443" proxyPort="443" > protocol="org.apache.coyote.http1$ > compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$ > maxThreads="1000" socket.appReadBufSize="1024" socket.app$ > keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ > clientAuth="false" sslProtocol="TLSv1.2" /> The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 installation on our most security-conscious customer's AS/400; this Tomcat is 8.5. Am I specifying it wrong? -- JHHL --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
