tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brijesh Deo <b...@SonicWALL.com>
Subject RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Date Tue, 05 Mar 2013 09:11:14 GMT
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com] 
Sent: 05 March 2013 13:59
To: users@tomcat.apache.org
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?

Brijesh,

On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am
currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"]
in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being
accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to
allow only TLS 1.1 connections with https? Please let me know how to do this.

HTTPS connector parameter sslProtocol defines which SSL/TLS protocols 
are enabled by default, e.g. for Oracle JDK 7:

1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work

So, in order to restrict available protocols only to TLSv1.1, you need 
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.

Note that even if some protocol is not enabled by default, you may 
enable it by specifying sslEnabledProtocols parameter. E.g.

   sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"

is somewhat confusing, but perfectly legal.

-Ognjen

Hi Ognjen,
Thanks for your detailed reply and the explanation. I gave it a quick try but it doesn’t
quite work with Tomcat 6.0.32, the version that I am currently using. I checked the Http Connector
documentation for Tomcat 6.0 and Tomcat 7.0 and the attribute " sslEnabledProtocols" is supported
in Tomcat 7.0 but not in Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32?
Please let me know.

Thanks,
Brijesh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message