Chris -- Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg.
Regards, --ccs -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Thursday, August 10, 2023 2:04 AM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: > I've looked for the answer to this online and maybe I didn't read closely > enough. > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the > same TLS version is defined in my server.xml in my SSLHostConfig: > sslProtocol="TLS" > protocols="TLSv1.2" > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat > 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org