Hi all,
Spying on this thread and have a little confusion. For me tomcat is running on
a windows server and I wasn't able to find a Catalina.sh. I do have a
Catalina.bat though....does anyone know if this is supposed to be the
equivalent to the .sh file , just for Windows?
Thanks,
Brandie
Regeneron - Internal Use Only
-----Original Message-----
From: SCHWING, CHUCK <cs3...@att.com>
Sent: Thursday, August 10, 2023 4:59 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs
server.xml options
EXTERNAL MESSAGE
_________________________________________________________________
EXTERNAL MESSAGE
Chris --
Many thanks for the clarification. I missed the "client" in the
jdk.tls.client.protocols jvm arg.
Regards,
--ccs
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, August 10, 2023 2:04 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml
options
Chuck,
On 8/9/23 13:58, SCHWING, CHUCK wrote:
> I've looked for the answer to this online and maybe I didn't read closely
> enough.
> I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option
> of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the
> same TLS version is defined in my server.xml in my SSLHostConfig:
> sslProtocol="TLS"
> protocols="TLSv1.2"
>
> My question is: What's the precedence in play? Does catalina.sh override
> server.xml or is it the other way around?
>
> We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat
> 10 so support TLS1.2 and TLS1.3 while we're migrating.
The system property you have shown above does not affect the behavior of Tomcat
at all. This system property affects Java's built-in TLS *client* when making
/outgoing/ connections.
If you specify "TLSv1.2" and no other protocols, then you will not enable
TLSv1.3. You should specify:
protocols="TLSv1.3, TLSv1.2"
in your <SSLHostConfig> in order to enable TLSv1.3 and also accept TLSv1.2.
Note that for TLSv1.3 there are other requirements, specifically a JVM with
support if using JSSE or an OpenSSL implementation with support if using
OpenSSL.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
********************************************************************
This e-mail and any attachment hereto, is intended only for use by the
addressee(s) named above and may contain legally privileged and/or confidential
information. If you are not the intended recipient of this e-mail, any
dissemination, distribution or copying of this email, or any attachment hereto,
is strictly prohibited. If you receive this email in error please immediately
notify me by return electronic mail and permanently delete this email and any
attachment hereto, any copy of this e-mail and of any such attachment, and any
printout thereof. Finally, please note that only authorized representatives of
Regeneron Pharmaceuticals, Inc. have the power and authority to enter into
business dealings with any third party.
********************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
