tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kreuser, Peter" <>
Subject AW: Tomcat 8 HTTPS issue with old browser
Date Tue, 04 Oct 2016 09:23:52 GMT

> The requirement for HTTPS is only a recent requirement and the application is now heavily
dependent on Java 8. At this point I don’t know just how old a version of Tomcat I would
need to make it work and I would have to make significant changes to the code in order to
make it Java 6/7 compliant.
> Thanks for the suggestion though.
> Dave
> > On 4 Oct 2016, at 08:48, André Warnier (tomcat) <> wrote:
> > 
> > On 04.10.2016 09:38, Garratt, Dave wrote:
> >> I have Apache Tomcat 8 working ok with https when I connect to my web page using
a recent browser (desktop) or iPhone for example. However this specific application is designed
to run on a Motorola MC9090 hand held wireless barcode scanner running a relatively old version
of Windows Mobile. The browser on that device can only load the HTTP page and not the HTTPS
page, giving a unable to open page message. Speaking to a “expert” on these scanners the
consensus of opinion is that the type of encryption used by Apache Tomcat 8 is more up to
date than the mobile devices browser can support. As it does not appear likely that the mobile
devices are going to be updated any time soon I was wondering if its possible to force Tomcat
to accept deprecated protocols rather than be forced to revert to plain HTTP.
> >> 
> >> Any ideas or ideally an example of how this might look in a config file would
be most appreciated.
> >> 
> >> 
> > 
> > Naive question : if you are dealing anyway with old devices that cannot be replaced
by new devices, then why do you not just keep using the correspondingly old version of tomcat
and of the JVM ?
> > 
> > 
> >

In my opinion weakening the security of the majority of users (there are seemingly others)
is a pretty bad thing to do. My suggestion would be a different connector on a separate port
for the handhelds. Configure this either on HTTP or a specific supported SSL protocol and
ciphers. It would probably mean to reconfigure the handhelds, to add a hole into the firewall
for the new port, but that could be restricted to the location/subnet of the handhelds.
You will need to get an exemption from the https-requirement for the handhelds anyways, so
that may be a way to get a compensating control.

Best regards



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message