Tom,
On 5.4.2015 3:06, Tom Williamson wrote:
I would like to know if anyone has a working example of getting TLS 1.2
working on Tomcat 7.0.55, so that it can be accessed by the latest
version of Chrome and Firefox.
Which version of Java do you use? Make sure it is Java 7 or 8, and if
you already didn't upgrade, then upgrade to the latest released version.
Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among
other TLS versions (v1 and v1.1)?
<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/mykeystore"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLS" />
By specifing protocol="HTTP/1.1" you are using connector auto-detection.
Depending on the existance of Tomcat native DLL, Tomcat will
automatically select between APR connector and JSSE connector. Those two
connectors have completely different set of options. The options you are
using (keystoreFile, keystorePass), are clearly indicating you wish to
use JSSE connectors. Therefore, to rule out present and future
auto-detection problems, I would recommend that you explicitly specify
connector you wish to use. E.g. for JSSE BIO connector that would be:
protocol="org.apache.coyote.http11.Http11Protocol"
Next, sslEnabledProtocols should specify exact TLS versions, so if you
need only TLSv1.2 use:
sslEnabledProtocols="TLSv1.2"
and if you need e.g. all three versions, then omit attribute
sslEnabledProtocols, or use:
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
So far based on the Tomcat 7.0 docs, I have tried the following
configuration changes:
sslEnabledProtocols="TLS"
sslEnabledProtocols="TLSv1"
sslEnabledProtocols="TLSv1.1"
sslEnabledProtocols="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
Except for the first one, all other examples should be working.
With most of these, I don't get any error in the console (I have logging
set to ALL), but I also have not been able to get either Chrome or
Firefox to connect.
I have also tried various combinations of "sslProtocols=" and "cipher=",
also with no luck.
Can anyone post a sample <connector> configuration that works?
Try this:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false"
keystoreFile="/path/mykeystore"
keystorePass="password"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2" />
BTW, the attribute name is "ciphers", not "cipher".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org