Hi,
We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over
HTTPS with OpenSSL implementation?.
Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org' <users@tomcat.apache.org>
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We have tried to restrict the TLS version in https connection establishment in
embedded tomcat for OpenSSL based implementation. With this part of the code,
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL
implementation.
Below code is used while creating connector.
private final String[] enabledProtocol = new String[] { "TLSv1.2" };
SSLHostConfig sslHostConfig = new SSLHostConfig();
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfig.setCertificateFile( certLocation );
sslHostConfig.setCertificateKeyFile( certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq && caCertificatePath != null &&
!caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setSslProtocol("TLS");
sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
