This is what I have:
<Connector executor="tomcatThreadPool" protocol="HTTP/1.1"
address="0.0.0.0" port="8443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" enableLookups="false" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata" scheme="https" secure="true"
SSLEnabled="true"
defaultSSLHostConfigName="appsrv.lan" server="Tomcat"
proxyName="esolutions.caspersbox.com" proxyPort="443">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="appsrv.lan"
protocols="TLSv1.2,TLSv1.3">
<Certificate
certificateKeystoreFile="/home/appsrv/etc/kdb/tomcat.p12" type="RSA"
certificateKeystorePassword="Sj45gvHBgdoJerbptVZV" />
</SSLHostConfig>
</Connector>
________________________________________________
Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
On Thu, Apr 20, 2023 at 12:17 PM <jonmcalexan...@wellsfargo.com.invalid>
wrote:
> Is this actually Kosher?
>
> Open your Tomcat server
> Open your server.xml file in tomcat
> Add the connector with TLS protocol as below
> <Connector port="8453"
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> maxHttpHeaderSize="16384"
> compression="on"
> scheme="https"
> SSLEnabled="true"
> secure="true"
> defaultSSLHostConfigName="test.test">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig
> hostName="test.test"
> protocols="TLSv1.2"
>
>
> ciphers="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>
> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CCM,TLS_ECDHE_ECDSA_WITH_AES_256_CCM,TLS_DHE_RSA_WITH_AES_256_CCM_8,
>
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CCM,
>
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM,TLS_DHE_RSA_WITH_AES_128_CCM_8,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
>
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256">
> <Certificate
> certificateKeystoreFile="<path to certificate keystore
> (JKS)>"
> certificateKeystorePassword ="${keystore.pass}"
> certificateKeyPassword="${keystore.pass}"
> certificateKeyAlias="<ALIAS>"
> />
> </SSLHostConfig>
> </Connector> Now, restart your Tomcat.
>
> If so, do we just add the TLS 1.3 ciphers to the list?
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -----Original Message-----
> > From: Christopher Schultz <ch...@christopherschultz.net>
> > Sent: Thursday, April 20, 2023 10:27 AM
> > To: Tomcat Users List <users@tomcat.apache.org>
> > Subject: Re: OT: Tomcat and TLS
> >
> > Jon,
> >
> > On 4/20/23 10:12, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Since TLS 1.2 and 1.3 don't/can't play well with each other (no mixed
> > > mode)
> > What do you mean by this?
> >
> > > [...] is it best to have a TLS 1.2 connector and a separate TLA 1.3
> > > connector on a different port, or just go to a TLS 1.3 connector and
> > > hope for backward compat?
> > TLSv1.3 uses a TLSv1.2-compatible handshake. The client and server should
> > negotiate the highest-supported protocol version shared between the two.
> >
> > -chris
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
