Is this actually Kosher?
Open your Tomcat server
Open your server.xml file in tomcat
Add the connector with TLS protocol as below
<Connector port="8453"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
maxHttpHeaderSize="16384"
compression="on"
scheme="https"
SSLEnabled="true"
secure="true"
defaultSSLHostConfigName="test.test">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig
hostName="test.test"
protocols="TLSv1.2"
ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,
TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
<Certificate
certificateKeystoreFile="<path to certificate keystore (JKS)>"
certificateKeystorePassword ="${keystore.pass}"
certificateKeyPassword="${keystore.pass}"
certificateKeyAlias="<ALIAS>"
/>
</SSLHostConfig>
</Connector> Now, restart your Tomcat.
If so, do we just add the TLS 1.3 ciphers to the list?
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
> -----Original Message-----
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Thursday, April 20, 2023 10:27 AM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: OT: Tomcat and TLS
>
> Jon,
>
> On 4/20/23 10:12, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> > mode)
> What do you mean by this?
>
> > [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> > connector on a different port, or just go to a TLS 1.3 connector and
> > hope for backward compat?
> TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server should
> negotiate the highest-supported protocol version shared between the two.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
