Re: Tomcat won't use TLSv1.2

Thu, 05 Mar 2020 14:10:52 -0800 

On Thu, Mar 5, 2020 at 10:44 AM i...@flyingfischer.ch
<i...@flyingfischer.ch> wrote:
>
> Try SSLProtocol="TLSv1.2" (mind the case) instead of sslProtocol="-all
> +TLSv1.2".
>
> Had this issue too. The connector parameters for SSL are a huge mess and
> have been changed constantly.
>
> Best
> Markus
>
> Am 05.03.20 um 19:30 schrieb rugman66 .:
> > Hello,
> >
> >
> >
> > I have both Apache and Tomcat running on the same RHEL. I have successfully
> > configured Apache to use OpenSSL TLSv1.2, but I cannot get Tomcat to use
> > TLSv1.2. Tomcat for some reason
> >
> > will only use TLV 1.0, and that is no good. No matter what parameter I set
> > in the server.xml sslProtocol directive it won’t change. Seems like it’s
> > getting that directive somewhere else but I can't locate.
> >
> >
> >
> > <Connector
> >
> >          port="8443"
> >
> >          scheme="https"
> >
> >          secure="true"
> >
> >          protocol="org.apache.coyote.http11.Http11AprProtocol"
> >
> >          SSLEnabled="true"
> >
> >          SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer"
> >
> >
> > SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer"
> >
> >
> > SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key"
> >
> >          SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW"
> >
> >          SSLHonorCipherOrder="true"
> >
> >          maxThreads="150"
> >
> >          clientAuth="false"
> >
> >          sslProtocol="-all +TLSv1.2"
> >
> >                                             />
> >
> >
> >
> > OpenSSL 1.0.2d
> >
> > Tomcat 7.0.39 (I know it’s old, but it's what I have to work with at this
> > time)
> >
> >
> > Thank you for any insight.
> >
> > -John
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Sorry, that last reply sent before I was done for some reason.

Thanks Markus,

One final issue. One version of the URL is still using TLS 1.0, and I
need to disable or force it to TLS v1.2 and can't find where to do
that.

https://server.domain.com  (TLSv 1.2)
https://server.domain.com/foo (Apache proxy TLSv1.2
https://server.domain.com:8443 (TLS 1.0)

Thanks
-John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to