tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Date Tue, 05 Mar 2013 08:28:45 GMT

On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am
currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"]
in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being
accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to
allow only TLS 1.1 connections with https? Please let me know how to do this.

HTTPS connector parameter sslProtocol defines which SSL/TLS protocols 
are enabled by default, e.g. for Oracle JDK 7:

1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work

So, in order to restrict available protocols only to TLSv1.1, you need 
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.

Note that even if some protocol is not enabled by default, you may 
enable it by specifying sslEnabledProtocols parameter. E.g.

   sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"

is somewhat confusing, but perfectly legal.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message