tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <>
Subject Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Date Wed, 06 Mar 2013 08:51:20 GMT

On 6.3.2013 7:02, Christopher Schultz wrote:
>> So in
>> Tomcat 7 you might use:
>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>> and in Tomcat 6.0.32:
>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>> It works for me.
> Can you file a bug for this? That should be a) documented and b)
> accept either "protocol" or "sslEnabledProtocols" to make it line-up
> with Tomcat 7.0.

Sure, I will. But, before I do, I just want to point out here to another 

Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and 
Tomcat 7.0.37 comes pre-configured -- enables different groups of 
protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3, 
TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and 
TLSv1. This is counter-intuitive and might introduce problems when 
upgrading from Tomcat 6 to Tomcat 7.

Which behavior is right? I prefer how Tomcat 6 is interepreting that 
attribute -- trying to enable best possible TLS protocol versions available.

OTOH, from Tomcat 7 documents it seems that the value of attribute 
setProtocol is just passed to JSSE when creating SSLContext. I assume 
that Tomcat 6 did some pre-processing before passing that attribute to 



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message