tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat Version 7.0.34 + jdk 1.6 is not supporting TLS Protocol TLS1.2
Date Wed, 18 Jan 2017 15:10:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dhanesh,

On 1/18/17 6:03 AM, dhanesh1212121212 wrote:
> Thanks for the support. This meets our requirement. We are going
> with stable java 1.8 version (default TLSv1.2) which has support
> for tomcat 7.0.34 + TLSv1.2.

I would recommend upgrading to Tomcat 8.0.x or Tomcat 8.5.x if you are
going to go through a whole round of testing anyway.

> Need one more information. Question is mentioned below.
> 
> Suppose my web server (Apache) and application (Tomcat) is using
> TLS1.2 protocol and some other web server with TLSv1.0 or TLSv1.1
> is passing a request to our server.

In that case, the "some other web server" is considered the client.

> Will the response will be 200Ok without any SSL secure negotiation
> error?

That depends upon how you configure your server. If you want to accept
*only* TLSv1.2, then a client attempting to contact your server using
TLSv1 or TLSv1.1 will fail to connect. They will not get an HTTP
response. Instead, they'll get a TLS handshake failure.

> Will all requests from client (browser) to server will happen
> without any error?

As long as your clients support the protocols your server does, you
should be fine. Most of the world has abandoned SSLv3 at this point,
and so should you. Most of the world now supports TLSv1.2, and so
should you.

The only question is whether or not it is safe for you to disable
TLSv1 and TLSv1.1, and whether or not you actually want to do that. Do
you have a specific reason to disable TLSv1 and TLSv1.1? If not, leave
them enabled and you will reach the widest audience that is currently
reasonable. If you want to be as super-secure as you think you can be,
disable everything except TLSv1.2.

- -chris

> On Fri, Dec 16, 2016 at 12:39 PM, <Frank.Pientka@materna.de>
> wrote:
> 
>> This was a typo, no plans for tls 1.3 in java yet
>> 
>> -----Urspr√ľngliche Nachricht----- Von: Christopher Schultz
>> [mailto:chris@christopherschultz.net] Gesendet: Donnerstag, 15.
>> Dezember 2016 22:36 An: Tomcat Users List
>> <users@tomcat.apache.org> Betreff: Re: Tomcat Version 7.0.34 +
>> jdk 1.6 is not supporting TLS Protocol TLS1.2
>> 
> Frank,
> 
> On 12/15/16 10:19 AM, Frank.Pientka@materna.de wrote:
>>>> Q1  use recent java8 Version if you want secure TLS 1.3
>>>> choose right cipher.
> 
> That might have been a typo, but I wanted to be clear that Java 8
> doesn't support TLSv1.3.
> 
> TLSv1.3 is still in a draft state, and is not widely-deployed.
> 
> -chris
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYf4VYAAoJEBzwKT+lPKRYn20QALn+NvIlRKMJyeO6+rw1yR/A
YzOSEtNMlRAdJkbOuQP6ceSShNgv18dV6IKDLwJzTwri61Qq0iVb/cC9HzYyb6F2
PStU4VwgveWypJ9UsWq9Lfw2jO1XN9Qu6nuDllF0tQiJIBqGMOfeWwW3/x9sa2qw
WMMelkk1nU8en4UfMcWxWtJQwmcvdGwtvF8ixPZZGJoTHL3uqofcOPENe27McorK
QOTzP4hzqq7AJV2fGYLlVo4efRNEmYfR1y5wSidqXay7gqqRki05p8HjJNuQGCj9
tuJ84/LiI6vun3E1W/c+7L+PmqwEvwjOYi35FOqhliyo0H5Z4Yp6KFYFHiIYHA/V
Y6D46OlEeWnjqBt1z58/Qa9ubWumFjTYTXA3xxXONo/YzsAfI6vi3inty99H8RSH
kRsyAkQzEh0FB/WDYBZBWUMvg28IACiFzTEtDuyV5exvLjgtYKwrf4ibaXueA5+h
oOgzy54x9gD0miC50qI8ZNUMMtXwa5LXRBU7/jnCEV9K9S5F9BmHJLdADQwPWwUF
NJMHolkP5MXwvDj6gsZGCUrjLkUsJpdm7j9vXdhdllh2X5sAyNAb55iIDWACuLe1
V4j+mPE6IgeWfGauy4kmXs2WiyUQQR7fy2Xfvh9MSDQv4Wdxv9HCKSMB9dNEFszl
Vymi6g3mZXJy0J9kVEcT
=bLM6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message