From users-return-240175-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Wed Mar 6 08:52:14 2013 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 344F4D4BD for ; Wed, 6 Mar 2013 08:52:14 +0000 (UTC) Received: (qmail 17834 invoked by uid 500); 6 Mar 2013 08:52:10 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 17464 invoked by uid 500); 6 Mar 2013 08:52:10 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 17397 invoked by uid 99); 6 Mar 2013 08:52:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Mar 2013 08:52:07 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 147.91.1.120 is neither permitted nor denied by domain of ognjen.d.blagojevic@gmail.com) Received: from [147.91.1.120] (HELO afrodita.rcub.bg.ac.rs) (147.91.1.120) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Mar 2013 08:52:01 +0000 Received: from [IPv6:2001:4170:0:4::66] (unknown [IPv6:2001:4170:0:4::66]) by afrodita.rcub.bg.ac.rs (Postfix) with ESMTP id C25FC1918590 for ; Wed, 6 Mar 2013 09:51:20 +0100 (CET) Message-ID: <51370388.5080607@gmail.com> Date: Wed, 06 Mar 2013 09:51:20 +0100 From: Ognjen Blagojevic User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ? References: <13A085B2E018374C813676301AED0EE412D8745781@BLR0EXC00.us.sonicwall.com> <5135ACBD.4060202@gmail.com> <13A085B2E018374C813676301AED0EE412D87457C3@BLR0EXC00.us.sonicwall.com> <5135C968.4030100@gmail.com> <13A085B2E018374C813676301AED0EE412D87457E9@BLR0EXC00.us.sonicwall.com> <51360153.9060304@gmail.com> <5136DC0C.8090008@christopherschultz.net> In-Reply-To: <5136DC0C.8090008@christopherschultz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-RCUB-MailScanner-Information: Please contact the ISP for more information X-RCUB-MailScanner-ID: C25FC1918590.AB617 X-RCUB-MailScanner: Found to be clean X-RCUB-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6, required 6, autolearn=not spam, BAYES_00 -2.60, NO_RELAYS -0.00) X-Virus-Checked: Checked by ClamAV on apache.org Chris, On 6.3.2013 7:02, Christopher Schultz wrote: >> So in >> Tomcat 7 you might use: >> >> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1" >> >> and in Tomcat 6.0.32: >> >> sslProtocol="TLSv1.1" protocols="TLSv1.1" >> >> >> It works for me. > > Can you file a bug for this? That should be a) documented and b) > accept either "protocol" or "sslEnabledProtocols" to make it line-up > with Tomcat 7.0. Sure, I will. But, before I do, I just want to point out here to another issue: Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and Tomcat 7.0.37 comes pre-configured -- enables different groups of protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable SSLv3 and TLSv1. This is counter-intuitive and might introduce problems when upgrading from Tomcat 6 to Tomcat 7. Which behavior is right? I prefer how Tomcat 6 is interepreting that attribute -- trying to enable best possible TLS protocol versions available. OTOH, from Tomcat 7 documents it seems that the value of attribute setProtocol is just passed to JSSE when creating SSLContext. I assume that Tomcat 6 did some pre-processing before passing that attribute to SSLContext. WDYT? -Ognjen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org