Running two connectors seems to work just fine, but I'm having trouble
getting one of them to only take TLS 1.2
In reply to my query:
Given all this, is it possible to (1) have Tomcat listen on two separate
HTTPS ports, and (2) have one of the ports require TLS 1.2, but the
other accept something our AS/400 can use?
On 7/17/20 10:03 AM, Mark Thomas wrote:
Yes. You need two Connector elements specifying different ports and
different protocols. They should be able to use the same certificate
configuration.
I just ran a test on our development Amazon EC2 instance, and verified
that I could listen on two different ports (existing 8443 and now 7443),
and I limited (or so I thought) 8443 (to which I have 443 rerouted
through iptables) to TLS 1.2.
Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1!
I commented out the connector for 8443 and restarted Tomcat, but it's
still giving the same report from SSLLabs.
The connector for 8443 in server.xml looks like this (lines truncated):
<Connector port="8443" proxyPort="443" protocol="org.apache.coyote.http1$
compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$
maxThreads="1000" socket.appReadBufSize="1024" socket.app$
keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$
clientAuth="false" sslProtocol="TLSv1.2" />
The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7
installation on our most security-conscious customer's AS/400; this
Tomcat is 8.5. Am I specifying it wrong?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
