RE: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?

Tue, 05 Mar 2013 01:11:49 -0800 

-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagoje...@gmail.com] 
Sent: 05 March 2013 13:59
To: users@tomcat.apache.org
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with 
https ?

Brijesh,

On 5.3.2013 7:09, Brijesh Deo wrote:
> Is there a way to make TLS 1.1 required for https connection with Tomcat 
> server. I am currently on Tomcat 6.0.32 with JRE 1.7 on Windows 7. I tried 
> setting [sslProtocol="TLSv1.1"] in the Connector definition in server.xml but 
> that did not stop TLS 1.0 connections from being accepted. I am not using 
> OpenSSL and instead using JSSE as the TLS provider.
> Is it possible to do it this way? Or do I need to upgrade to Tomcat 7.0 to be 
> able to allow only TLS 1.1 connections with https? Please let me know how to 
> do this.

HTTPS connector parameter sslProtocol defines which SSL/TLS protocols 
are enabled by default, e.g. for Oracle JDK 7:

1) setProtocol="TLS" will enable SSLv3 and TLSv1
2) setProtocol="TLSv1.2" will enable SSLv3, TLSv1, TLSv1.1 and TLS v1.2
3) setProtocol="TLSv1.1" will enable SSLv3, TLSv1, and TLSv1.1
4) setProtocol="TLSv1" will enable SSLv3 and TLSv1
5) setProtocol="SSL" will enable SSLv3 and TLSv1
6) setProtocol="SSLv3" will enable SSLv3 and TLSv1
7) setProtocol="SSLv2" won't work

So, in order to restrict available protocols only to TLSv1.1, you need 
to add parameter sslEnabledProtocols="TLSv1.1" to your connector.

Note that even if some protocol is not enabled by default, you may 
enable it by specifying sslEnabledProtocols parameter. E.g.

   sslProtocol="SSL" sslEnabledProtocols="TLSv1.1"

is somewhat confusing, but perfectly legal.

-Ognjen

Hi Ognjen,
Thanks for your detailed reply and the explanation. I gave it a quick try but 
it doesn’t quite work with Tomcat 6.0.32, the version that I am currently 
using. I checked the Http Connector documentation for Tomcat 6.0 and Tomcat 7.0 
and the attribute " sslEnabledProtocols" is supported in Tomcat 7.0 but not in 
Tomcat 6.0. Is there a way I could achieve this with Tomcat 6.0.32? Please let 
me know.

Thanks,
Brijesh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to