tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Utkarsh Dave <utkarshkd...@gmail.com>
Subject Re: Unable to disable SSL in Tomcat 6 !
Date Sat, 01 Nov 2014 19:33:47 GMT
Hi Chris,

Thanks for the response. I am testing using below steps.

>From another machine I am running  this command:

openssl s_client -ssl3 -msg -connect <HOST>:<PORT>



HOST is the server ip (on the server where actually ssl needs to be
disabled and server.xml is modified with sslProtocols="TLSv1" )

PORT is 8443 (tomcat)


If the result of above command results in failure. It means SSL is disabled.

How can i know if my JVM recognizes the particular protocol string.

-Thanks
Utkarsh

On Sat, Nov 1, 2014 at 12:52 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Utkarsh,
>
> On 10/31/14 11:52 AM, Utkarsh Dave wrote:
> > Nothing helped much. Please let me know how can i disable SSL in
> > Tomcat 6.0.37.
> >
> > I tried below configuration in server.xml on Tomcat 6.0.37
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150"
> > SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
> > sslProtocols = "TLSv1"
> >
> > The same with sslEnabledProtocols instead of sslProtocols worked
> > for Tomcat 7. I am also following solution at
> > https://access.redhat.com/solutions/1232233
>
> The configuration attributes "protocols", "sslProtocols", and
> "sslEnabledProtocols" are all equivalent in Tomcat 6.0.38 and later.
> Before Tomcat 6.0.38, "protocols" and "sslProtocols" are equivalent.
>
> So it shouldn't really matter which one you use. But since you are
> using 6.0.37, then you definitely can't use "sslEnabledProtocols".
>
> So.. what's the problem? With the above configuration, what protocols
> end up being enabled? How are you performing your testing?
>
> You are using the Java BIO connector so it's using JSSE for crypto.
> Those settings you have should work. The default for "sslProtocol" is
> "TLS" which should get you pretty much everything, and restricting
> sslProtocols to "TLSv1" should get you only TLSv1, as long as your JVM
> recognizes that particular protocol string.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUU+FoAAoJEBzwKT+lPKRYHscQAIRhapwkrWIhVvGv6GJxkUVV
> uhWrZQm/mBj4+kGCy+/Ca3b9oE6i5IKAQCLRxF5sVDABplZcAM80w8HSAXcSUtXd
> vw1lLxZ7/0iwJ5sukceypw+zlbSgsg3OFCDBBpBrk9bikUBVQUN5PCmMxnsyS8X3
> fOMi8hrEbqHSZWu6qPq3I5u4BJVBSvzCpGlF5KXrQH1kovCekULH5HAmQ93V3umL
> 6oD06LzF4Qef5x6wUHCRb8Kz7o7xC9Sk+bclvajJx2UCWAH5flEvlT+gR0+ERFbT
> B4M6fSvEpdrOHz6jsgixOBkJz1yXsH2d6uNztvtitIwuDCHP6T32xQ3lWvwma4Cn
> 3prT1Z+ytJUI3E9MhEwWZ1rWNSZgR/alm3k+zmud9Gm3Msr+Zl61uKKsAQPW8/YG
> BlfC4c1PR3VpquhqDP6eSw9E4CP/4LwvO0mQO7+t4ZDSEmxwT9DSBjvy5tjWRqo7
> flmtwFsfVkQ/qwCjgJFRneRYM4+7zJ8IVnEhnXLiXQhZYU8NMAJ1bcxHpd9Yz6O7
> gQXQRlA7bZDW2dgRNsMwimVPovY+36XrS92Bsn8VEcc/uuLx/XyGgcqYnNnhvfjk
> UKpB4Uj38zjjBBEnjYnI5JVmDBam5I44Y12eSsxBS0elvBGc3U3Pv8W7ijFz74u7
> NzqKsmZJjk2x5bbHZERQ
> =9f5b
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message