Thanks a lot Ognjen for looking into this so extensively. I think I had tried
this combination - sslProtocol="SSL" and protocols="TLSv1.1". I will try again
with both being "TLSv1.1" and then I think it would work.
Thanks again,
Brijesh
Sent from Samsung Mobile
-------- Original message --------
From: Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Date: 05/03/2013 20:00 (GMT+05:30)
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with
https ?
Brijesh,
On 5.3.2013 11:47, Brijesh Deo wrote:
> Thanks Ognjen. I tried with -Dhttps.protocols="TLSv1.1" in Tomcat startup but
> even this doesn’t work with Tomcat 6.0. Looks like upgrading to Tomcat 7.0
> seems to be the only way to achieve this easily through configuration in
> server.xml.
That was strange, so I started looking where Tomcat 6.0.32 sets enabled
protocols. Here it is (JSSESocketFactory.java, lines 789-791):
String requestedProtocols = (String) attributes.get("protocols");
setEnabledProtocols(socket, getEnabledProtocols(socket,
requestedProtocols));
It seems that Tomcat 6.0.32 (and probably other 6.0.xx versions) use
undocumented attribute for HTTPS connector "protocols". So in Tomcat 7
you might use:
sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
and in Tomcat 6.0.32:
sslProtocol="TLSv1.1" protocols="TLSv1.1"
It works for me.
-Ognjen
I tried and it works for me too with [sslProtocol="TLSv1.1"
protocols="TLSv1.1"] in the connector definition in server.xml. Thanks a lot.
Regards,
Brijesh
