tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat 6 APR SSL Issue
Date Fri, 17 Oct 2014 17:22:50 GMT
Hash: SHA256


On 10/14/14 2:16 PM, James Drews wrote:
> Hi, I have a question that may be a bug, or I'm just not doing
> something right (I'll happily believe either).
> Configuration: Tomcat 6.0 running on Windows Server The
> tcnative-1.dll is the latest from the download site 
> Item #1
> In our tomcat server.xml config, we have:
> <Listener
> className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" /> <Connector port="443" 
> protocol="org.apache.coyote.http11.Http11AprProtocol" 
> maxHttpHeaderSize="8192" scheme="https" secure="true" 
> SSLEnabled="true" SSLDisableCompression="true" 
> SSLHonorCipherOrder="true" SSLProtocol="TLSv1+SSLv3" 
> SSLCertificateFile="certificate.crt" 
> SSLCertificateKeyFile="certificate.key" 
> SSLCertificateChainFile="chain.crt" 
>  />
> The issue here is tomcat is only binding to the IPv4 (
> address, and not binding to the IPv6 on the box.  If I add a 
> address=""
> and then duplicate this connector and replace the address option
> with: address="::"
> It binds to both IPv4 and IPv6 as expected. However, tomcat will
> no longer stop when you try to stop the windows service. I have to
> kill the process to get it to stop.  If I only have one or the
> other of the two connectors present, it will stop as expected.
> Also of note, if I used: 
> protocol="org.apache.coyote.http11.Http11Protocol"
> instead, it would bind to both IPv4 and IPv6 as expected when no
> address option is specified (but that method won't take some of the
> options we want to have set).

Check the archives; I seem to recall some oddities when it comes to
APR's use of network interfaces.

> Issue #2
> We would like to have it use: SSLProtocol="TLSv1" but when you have
> just that as the option, it will only talk TLS v1.0, not TLSv1.1 or
> TLSv1.2. Looking briefly at the source code, it looks like you only
> have the option to specify a combination of TLSv1, SSLv2 and SSLv3.
> If we use the option as specified above (TLSv1+SSLv3), it will do
> all three TLS versions and SSLv3.
> Is there a way to get it to do TLS and all three versions of it?

Unfortunately, TLSv1.1 and TLSv1.2 will not be supported until you
have both tcnative 1.1.32 and a Tomcat version that supports the
changes. There is not yet a patch for Tomcat 6 for this, while patches
have been committed for Tomcat 7 and Tomcat 8.

I'm working on a Tomcat 6 patch.

> Also, with SSLv2 not specified, it will still accept that
> protocol, but in the end will fail because no encryption methods
> for it are enabled. Is there a way to have it refuse to talk SSLv2
> from the start?

Usually, SSLv2Hello is used to allow a SSLv2 connection to be
established. This is generally safe (well, until we all decided that
SSLv3 was rubbish).

Once the above updates are released, you will be able to select the
exact set of protocols you want. You should be able to specify
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" and get all the TLSs and no SSLs.
(Also, the definition for "all" has been updated to be "all TLSs and
no SSLs" so you could use that, too).

- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message