tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?
Date Wed, 06 Mar 2013 08:51:20 GMT
Chris,

On 6.3.2013 7:02, Christopher Schultz wrote:
>> So in
>> Tomcat 7 you might use:
>>
>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>>
>> and in Tomcat 6.0.32:
>>
>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>>
>>
>> It works for me.
>
> Can you file a bug for this? That should be a) documented and b)
> accept either "protocol" or "sslEnabledProtocols" to make it line-up
> with Tomcat 7.0.

Sure, I will. But, before I do, I just want to point out here to another 
issue:

Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and 
Tomcat 7.0.37 comes pre-configured -- enables different groups of 
protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3, 
TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and 
TLSv1. This is counter-intuitive and might introduce problems when 
upgrading from Tomcat 6 to Tomcat 7.

Which behavior is right? I prefer how Tomcat 6 is interepreting that 
attribute -- trying to enable best possible TLS protocol versions available.

OTOH, from Tomcat 7 documents it seems that the value of attribute 
setProtocol is just passed to JSSE when creating SSLContext. I assume 
that Tomcat 6 did some pre-processing before passing that attribute to 
SSLContext.

WDYT?

-Ognjen


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message