Re: Tomcat won't use TLSv1.2

Thu, 05 Mar 2020 23:28:29 -0800 



Am 05.03.20 um 23:10 schrieb rugman66 .:
> On Thu, Mar 5, 2020 at 10:44 AM i...@flyingfischer.ch
> <i...@flyingfischer.ch> wrote:
>> Try SSLProtocol="TLSv1.2" (mind the case) instead of sslProtocol="-all
>> +TLSv1.2".
>>
>> Had this issue too. The connector parameters for SSL are a huge mess and
>> have been changed constantly.
>>
>> Best
>> Markus
>>
>> Am 05.03.20 um 19:30 schrieb rugman66 .:
>>> Hello,
>>>
>>>
>>>
>>> I have both Apache and Tomcat running on the same RHEL. I have successfully
>>> configured Apache to use OpenSSL TLSv1.2, but I cannot get Tomcat to use
>>> TLSv1.2. Tomcat for some reason
>>>
>>> will only use TLV 1.0, and that is no good. No matter what parameter I set
>>> in the server.xml sslProtocol directive it won’t change. Seems like it’s
>>> getting that directive somewhere else but I can't locate.
>>>
>>>
>>>
>>> <Connector
>>>
>>>          port="8443"
>>>
>>>          scheme="https"
>>>
>>>          secure="true"
>>>
>>>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>
>>>          SSLEnabled="true"
>>>
>>>          SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer"
>>>
>>>
>>> SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer"
>>>
>>>
>>> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key"
>>>
>>>          SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW"
>>>
>>>          SSLHonorCipherOrder="true"
>>>
>>>          maxThreads="150"
>>>
>>>          clientAuth="false"
>>>
>>>          sslProtocol="-all +TLSv1.2"
>>>
>>>                                             />
>>>
>>>
>>>
>>> OpenSSL 1.0.2d
>>>
>>> Tomcat 7.0.39 (I know it’s old, but it's what I have to work with at this
>>> time)
>>>
>>>
>>> Thank you for any insight.
>>>
>>> -John
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> Sorry, that last reply sent before I was done for some reason.
>
> Thanks Markus,
>
> One final issue. One version of the URL is still using TLS 1.0, and I
> need to disable or force it to TLS v1.2 and can't find where to do
> that.
>
> https://server.domain.com  (TLSv 1.2)
> https://server.domain.com/foo (Apache proxy TLSv1.2
> https://server.domain.com:8443 (TLS 1.0)
>
> Thanks
> -John
>

These three URLs do use two different connectors: on Port 443 and on
Port 8443.

Make sure you have configured both connectors accordingly.

Best
Markus




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to