Hello Tomcat Users --
I posted this question elsewhere yesterday and then realized I should have sent
it to this mailing list.
I'm trying to configure tomcat7 to support TLS 1.2 (which was released 6 years
ago). I can get TLS 1.0 to work, but NIST [says][1] that I "shall not" use TLS
1.0. I know I can use JSSE instead to get TLS 1.2, but why can't I get APR to
support it? A few online guides I've read recommend APR over JSSE, it looks
like I get better ciphers out of the box with APR/OpenSSL than JSSE, and I can
use cipher suites with OpenSSL so it seems easier to maintain.
According to [this][2] bug report it might be available with a patch, but I'd
have guessed it would be standard by now. Is there some other gratis way of
getting OpenSSL in tomcat, or is it simply the case that there's insufficient
interest tomcat native for security purposes?
For reference, I've got Tomcat 7.0.55 and tomcat-native 1.1.30. I don't get any
warning during startup, and I know I'm only getting TLS 1.0 is because that's
what clicking the lock in my browser tells me and [Qualys SSL Labs][3] says TLS
1.2 is not available on my server. My connector is:
<Connector port="8443" scheme="https" secure="true" SSLEnabled="true"
...
SSLProtocol="TLSv1"/>
And note that `TLSv1` is the [only][4] TLS value allowed for `SSLProtocol`.
Following `mod_ssl`'s `SSLProtocol`, I tried `TLSv1.2` but that drew an
exception. Unfortunately, I can't find any discussion of this online.
Thanks!
Amos.
[1]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
[2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
[3]: https://www.ssllabs.com/ssltest/index.html
[4]:
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
