From users-return-240110-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Tue Mar 5 08:29:25 2013 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C0F5CD611 for ; Tue, 5 Mar 2013 08:29:25 +0000 (UTC) Received: (qmail 67599 invoked by uid 500); 5 Mar 2013 08:29:22 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 67456 invoked by uid 500); 5 Mar 2013 08:29:21 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 67404 invoked by uid 99); 5 Mar 2013 08:29:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Mar 2013 08:29:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: 147.91.1.120 is neither permitted nor denied by domain of ognjen.d.blagojevic@gmail.com) Received: from [147.91.1.120] (HELO afrodita.rcub.bg.ac.rs) (147.91.1.120) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Mar 2013 08:29:13 +0000 Received: from [IPv6:2001:4170:0:4::66] (unknown [IPv6:2001:4170:0:4::66]) by afrodita.rcub.bg.ac.rs (Postfix) with ESMTP id 8A2582150002 for ; Tue, 5 Mar 2013 09:28:45 +0100 (CET) Message-ID: <5135ACBD.4060202@gmail.com> Date: Tue, 05 Mar 2013 09:28:45 +0100 From: Ognjen Blagojevic User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? References: <13A085B2E018374C813676301AED0EE412D8745781@BLR0EXC00.us.sonicwall.com> In-Reply-To: <13A085B2E018374C813676301AED0EE412D8745781@BLR0EXC00.us.sonicwall.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-RCUB-MailScanner-Information: Please contact the ISP for more information X-RCUB-MailScanner-ID: 8A2582150002.AA5BA X-RCUB-MailScanner: Found to be clean X-RCUB-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6, required 6, autolearn=not spam, BAYES_00 -2.60, NO_RELAYS -0.00) X-Virus-Checked: Checked by ClamAV on apache.org Brijesh, On 5.3.2013 7:09, Brijesh Deo wrote: > Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider. > Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this. HTTPS connector parameter sslProtocol defines which SSL/TLS protocols are enabled by default, e.g. for Oracle JDK 7: 1) setProtocol="TLS" will enable SSLv3 and TLSv1 2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2 3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1 4) setProtocol="TLSv1" will enable SSLv3 and TLSv1 5) setProtocol="SSL" will enable SSLv3 and TLSv1 6) setProtocol="SSLv3" will enable SSLv3 and TLSv1 7) setProtocol="SSLv2" won't work So, in order to restrict available protocols only to TLSv1.1, you need to add parameter sslEnabledProtocols="TLSv1.1" to your connector. Note that even if some protocol is not enabled by default, you may enable it by specifying sslEnabledProtocols parameter. E.g. sslProtocol="SSL" sslEnabledProtocols="TLSv1.1" is somewhat confusing, but perfectly legal. -Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org