Re: Need configuration example for Tomcat 7.0.55 TLS configuration

Mon, 06 Apr 2015 00:11:54 -0700 

Tom,

On 5.4.2015 3:06, Tom Williamson wrote:

I would like to know if anyone has a working example of getting TLS 1.2
working on Tomcat 7.0.55, so that it can be accessed by the latest
version of Chrome and Firefox.



Which version of Java do you use? Make sure it is Java 7 or 8, and if 
you already didn't upgrade, then upgrade to the latest released version.



Could you clarify do you need TLSv1.2 only, or you need TLSv1.2 among 
other TLS versions (v1 and v1.1)?




<Connector port="8484" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="/path/mykeystore"
           keystorePass="password"
           clientAuth="false"
           sslProtocol="TLS"
           sslEnabledProtocols="TLS" />



By specifing protocol="HTTP/1.1" you are using connector auto-detection. 
Depending on the existance of Tomcat native DLL, Tomcat will 
automatically select between APR connector and JSSE connector. Those two 
connectors have completely different set of options. The options you are 
using (keystoreFile, keystorePass), are clearly indicating you wish to 
use JSSE connectors. Therefore, to rule out present and future 
auto-detection problems, I would recommend that you explicitly specify 
connector you wish to use. E.g. for JSSE BIO connector that would be:


  protocol="org.apache.coyote.http11.Http11Protocol"



Next, sslEnabledProtocols should specify exact TLS versions, so if you 
need only TLSv1.2 use:


  sslEnabledProtocols="TLSv1.2"


and if you need e.g. all three versions, then omit attribute 
sslEnabledProtocols, or use:


  sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"



So far based on the Tomcat 7.0 docs, I have tried the following
configuration changes:

sslEnabledProtocols="TLS"
sslEnabledProtocols="TLSv1"
sslEnabledProtocols="TLSv1.1"
sslEnabledProtocols="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"


Except for the first one, all other examples should be working.



With most of these, I don't get any error in the console (I have logging
set to ALL), but I also have not been able to get either Chrome or
Firefox to connect.

I have also tried various combinations of "sslProtocols=" and "cipher=",
also with no luck.

Can anyone post a sample <connector> configuration that works?


Try this:

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false"
           keystoreFile="/path/mykeystore"
           keystorePass="password"
           sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2" />

BTW, the attribute name is "ciphers", not "cipher".

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to