On 18/10/2021 06:19, Natraj Thekkan wrote:
Hi,
@Mark
Thanks for your response.
We have tested by removing that line of code, still client able to establish
the connection with server using TLSv1 and TLSv1.1. Below one is configured in
java.security file.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Please suggest the way to restrict the TLSv1,TLSv1.1 version when
OpenSSLImplementation is used.
The code you are using should be sufficient.
Please provide the simplest, *complete* test case (i.e. the source code
for an executable Java class that starts a Tomcat instance that listens
for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections
when configured not to.
(We can provide our our test certificate.)
Mark
Regards,
Natraj
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, October 14, 2021 4:11 PM
To: users@tomcat.apache.org
Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote:
Hi,
We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over
HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that is being
used by the clients.
You should be able to remove to remove the
sslHostConfig.setSslProtocol("TLS");
line. It is only used with JSSE.
Mark
Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org' <users@tomcat.apache.org>
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
Hi,
We have tried to restrict the TLS version in https connection establishment in
embedded tomcat for OpenSSL based implementation. With this part of the code,
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL
implementation.
Below code is used while creating connector.
private final String[] enabledProtocol = new String[] { "TLSv1.2" };
SSLHostConfig sslHostConfig = new SSLHostConfig();
sslHostConfig.setInsecureRenegotiation( false );
sslHostConfig.setCertificateFile( certLocation );
sslHostConfig.setCertificateKeyFile( certKeyLocation );
sslHostConfig.setCertificateKeyPassword( certKeyPassword );
if( isClientAuthreq && caCertificatePath != null &&
!caCertificatePath.isEmpty() )
{
sslHostConfig.setCertificateVerification(
CertificateVerification.REQUIRED.toString() );
sslHostConfig.setCaCertificateFile( caCertificatePath );
}
sslHostConfig.setSslProtocol("TLS");
sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName",
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
Regards,
Natraj
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
