tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amos Anderson <amos.ander...@protabit.com>
Subject Does APR/tomcat-native support TLS 1.2?
Date Tue, 02 Sep 2014 17:34:05 GMT
Hello Tomcat Users --

I posted this question elsewhere yesterday and then realized I should have sent it to this
mailing list.


I'm trying to configure tomcat7 to support TLS 1.2 (which was released 6 years ago). I can
get TLS 1.0 to work, but NIST [says][1] that I "shall not" use TLS 1.0. I know I can use JSSE
instead to get TLS 1.2, but why can't I get APR to support it? A few online guides I've read
recommend APR over JSSE, it looks like I get better ciphers out of the box with APR/OpenSSL
than JSSE, and I can use cipher suites with OpenSSL so it seems easier to maintain.

According to [this][2] bug report it might be available with a patch, but I'd have guessed
it would be standard by now. Is there some other gratis way of getting OpenSSL in tomcat,
or is it simply the case that there's insufficient interest tomcat native for security purposes?

For reference, I've got Tomcat 7.0.55 and tomcat-native 1.1.30. I don't get any warning during
startup, and I know I'm only getting TLS 1.0 is because that's what clicking the lock in my
browser tells me and [Qualys SSL Labs][3] says TLS 1.2 is not available on my server. My connector
is:

    <Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
    ...
    SSLProtocol="TLSv1"/>

And note that `TLSv1` is the [only][4] TLS value allowed for `SSLProtocol`. Following `mod_ssl`'s
`SSLProtocol`, I tried `TLSv1.2` but that drew an exception. Unfortunately, I can't find any
discussion of this online.


Thanks!
Amos.




  [1]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
  [2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
  [3]: https://www.ssllabs.com/ssltest/index.html
  [4]: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message