Brijesh,

On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but that did not stop TLS 1.0 connections from being accepted. I am not using OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be able to allow only TLS 1.1 connections with https? Please let me know how to do this.

HTTPS connector parameter sslProtocol defines which SSL/TLS protocols 
are enabled by default, e.g. for Oracle JDK 7:

1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work

So, in order to restrict available protocols only to TLSv1.1, you need 
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.

Note that even if some protocol is not enabled by default, you may 
enable it by specifying sslEnabledProtocols parameter. E.g.

   sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"

is somewhat confusing, but perfectly legal.

-Ognjen


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org