> .<i...@flyingfischer.ch> wrote: >>On 2020-03-05 at 23:10 rugman66 wrote: > On Thu, Mar 5, 2020 at 10:44 AM i...@flyingfischer.ch > <i...@flyingfischer.ch> wrote: >> Try SSLProtocol="TLSv1.2" (mind the case) instead of sslProtocol="-all >> +TLSv1.2". >> >> Had this issue too. The connector parameters for SSL are a huge mess and >> have been changed constantly. >> >> Best >> Markus >> >> On 2020-03-05 at 19:30 rugman66 wrote: >>> Hello, >>> >>> I have both Apache and Tomcat running on the same RHEL. I have successfully >>> configured Apache to use OpenSSL TLSv1.2, but I cannot get Tomcat to use >>> TLSv1.2. Tomcat for some reason >>> >>> will only use TLV 1.0, and that is no good. No matter what parameter I set >>> in the server.xml sslProtocol directive it won’t change. Seems like it’s >>> getting that directive somewhere else but I can't locate. >>> >>> <Connector port="8443" >>> scheme="https" >>> secure="true" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> SSLEnabled="true" >>> SSLCertificateFile="/auto/englearn-web/ssl_certificate/server.cer" >>> >>> SSLCertificateChainFile="/auto/englearn-web/ssl_certificate/chain.cer" >>> >>> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/server.key" >>> SSLCipherSuite="RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW" >>> SSLHonorCipherOrder="true" >>> maxThreads="150" >>> clientAuth="false" >>> sslProtocol="-all +TLSv1.2" /> >>> >>> >>> >>> OpenSSL 1.0.2d >>> >>> Tomcat 7.0.39 (I know it’s old, but it's what I have to work with at this >>> time) >>> >>> >>> Thank you for any insight. >>> >>> -John >>> > Sorry, that last reply sent before I was done for some reason. > >> Thanks Markus, >> >> One final issue. One version of the URL is still using TLS 1.0, and I >> need to disable or force it to TLS v1.2 and can't find where to do >> that. >> >> https :// server.domain.com (TLSv 1.2) >> https :// server.domain.com/foo (Apache proxy TLSv1.2 >> https :// server.domain.com:8443 (TLS 1.0) >> >> Thanks >> -John >>
> These three URLs do use two different connectors: on Port 443 and on Port > 8443. > Make sure you have configured both connectors accordingly. > Best > Markus --- Keep in mind that the Java JVM may need help as well (depending on which version of the Java JVM runtime is hosting the Apache Tomcat). Oracle documentation covers this topic well at the URL See: https://www.java.com/en/configure_crypto.html https:// www. java .com /en/configure_crypto.html Scroll down to the paragraph "Changing default TLS protocol version for client end points : TLS 1.0 to TLS 1.2". Cheers! Simba Engineering
