tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TLS protocols and cipher suites available under JSSE?
Date Fri, 15 Mar 2019 14:02:00 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 3/13/19 20:38, James H. H. Lampert wrote:
> Thanks, Mr. Schultz.
> 
> I managed to find the IBM docs. At least some of the cipher suites
> the customer is talking about are supported all the way back to
> their 7.0 JVM.
> 
> I've specified cipher suites by name in the connector, but I don't
> think I've done protocols. "TLS," according to the IBM docs,
> "Enables TLS v1.0 protocol (defined in RFC 2246). Accepts TLSv1
> hello encapsulated in an SSLv2 format hello."
> 
> Sounds like I would need to enable TLSv1.1 and TLSv1.2 explicitly.
> Would I change the sslProtocol clause from
>> sslProtocol="TLS"
> 
> to
>> sslProtocol="TLSv1.1,TLSv1.2"
> or even
>> sslProtocol="TLSv1.2"
> 
> and specify acceptable cipher suites in the ciphers clause?

Specifying sslProtocol="TLS" is what you want, regardless of the
actual protocols you want to support. It's ... odd, but you have to
tell Java that you want "TLS" (generically) before you can tell it
what /kind/ of TLS you want. I believe that Java will never accept any
value other than "TLS" for that at this point. So you are left with
sslEnabledProtocols...

If you want to configure specific versions of TLS, this is where to do i
t:

sslEnabledProtocols="TLSv1.2, TLSv1.1, SSLv2Hello" (etc)

If you can tolerate it, I'd enable only TLSv1.2. Some clients still
require TLSv1. Virtually all clients supporting TLSv1.1 also support
TLSv1.2, so it's almost useless to enable TLSv1.1.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyLsFgACgkQHPApP6U8
pFirkQ//TA0sE1AVpW7dr1/1+zkKZ/n9AIm6nKEnamcN6fF0rDchP+CW/uZMJjrF
TuKQUEyOZjS8M7qU7t6HR7xdwt7JbpPQhZ07PYLqhxw0uNYfZnqQfc1AWz+pMLxD
RNWPrtb9+A4uWI5B/c64rVJjD3Ig/dAZHH5xesspZrEwt12bTBVKdSa610pnN7Dr
DFY3PSpxeF+86a5/SJwZFEU1iu36+8krA7H99qA4XBYiwC4UPxIoSqtNznmZ08dH
kRrJ3EBSbDFB7/h/CqJUCnUyfJscal5ZYsALp/DKt1xpK7R3nGduRbgpsud5NcbD
bl9RNoEZ2aQBJClO+FLumWPnOX2pqLqIB9QxSdqxdC9kRUiSflcAc1XJXtWcHWty
PRXHEneG6AMe4uqJ7nzlxOBkCQlF7G3aShkbqPmmzV/IV0H3ncVt/4qW4fS+N5AR
iv41tva/9M8Y39uFyWyvp0U5s6sby3xXC9jlI3aqdIkofxvTG1G7cNGZeGMHDxsX
JY2e5k8/ZxKgaGifp6GWPNFt5fSiXpvVpJzQcBojwP4TP8D2cnxIyCZjPg0tUXiD
U4gnJqA0b5oexPFFCA1qZUTl0xgBCeZxqS8NcDh8Nu+hb4N0ZT8tL/UvApD8ZmfB
2E7A3K+ny462SI6mcvTHMKIR1SPSYTQ3MD+yYvqtw3XOBCIR9Zg=
=/zZH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message