tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Savard <>
Subject Re: Configuring Tomcat to support TLSv1.2
Date Wed, 22 Jun 2016 04:59:00 GMT
2016-06-21 19:08 GMT-04:00 Joleen Barker <>:

> Hello Daniel,
> Thank you for your replies.
> Yes, I have the Java build 1.7.0_71 installed and I have the Unlimited
> security package installed as the application from the vendor requires it.
> Ok, you say never to edit the catalina,sh. I can change it back. The
> settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1"
I believe this is not from the original version of the file. I have no
longer any Tomcat 7 installed to check this, however if I am checking my
Tomcat 8, there is no SSL_VERSION environment variable
anywhere. If you are having an already modified, it will be
difficult to provide any meaningful guidance.

> Why is it set for only one version in the what is having this
> set to one version limiting us to?
It seems your has already been modified by someone else. This
doesn't look like the vanilla version of the file.

> Our connector has this set in it:
> sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"
> Is this all we need to allow TLSv1.2 clients to come in and for Tomcat
> acting as a client to go out as TLSv1.2?

You didn't provide enough details about your connector, so, read this page:

I assume you are configuring a NIO or BIO connector, then sslProtocol="TLS"
is the only needed attribute to support TLSv1, TLSv1.1 and TLSv1.2. The
sslEnabledProtocols attribute is not necessary since it overalps with
sslProtocol attribute. Note if you do not specify this attribute it
defaults to TLS anyway.

If you read the documentation page above, you will see the sslProtocol
attribute is actually passing the value to Java 7. That's why there is no
need to temper with the to try to set this for Java before
hand. The proper way to configure Tomcat is to modify files in the conf
directory only. Playing with files in bin and lib is not a recommended

Daniel Savard

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message