Hi, I'm running Tomcat 8.5.50.0 on JRE 1.8.0_241-b07 on Solaris 5.11. Like many other people, I've failed to disable TLSv1, TLSv1.1 etc.
Here is a snippet of server.xml: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedQueryChars="[]" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> sslEnabledProtocols="TLSv1.2,TLSv1.3" <Certificate certificateKeystoreFile="conf/***********.jks" certificateKeystorePassword="******" certificateKeyPassword="******" certificateKeyAlias="*******************" type="RSA" /> </SSLHostConfig> </Connector> In fact, configuring any of these had absolutely no effect all and no message or error in catalina.out: sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2" protocols="TLSv1.2,TLSv1.3" Tomcat continues to happily allow a TLS1 connection: $ openssl s_client -connect 127.0.0.1:443</dev/null -tls1 [SNIP] SSL handshake has read 3121 bytes and written 321 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES256-SHA Session-ID: 5FFD6A60DF76BF269E4E2AFF6FAFEA58F85FBE381803355B76C2056B663B98C7 Session-ID-ctx: Master-Key: FFD11889EC7BEF958EA1D0D00E57A04BF1F283EE27632B75E1AD1D7DAAE83510AC85CD7E890A58A7F7C0C6F0B56F0C61 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1610443360 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE Best regards Eric Lee ************************************************************* This email is issued by Vocalink Limited, a Mastercard company. Vocalink Limited (Company No 06119048, VAT No. 907 9619 87) is registered in England at 1 Angel Lane, London, EC4R 3AB, United Kingdom. This message is confidential to the original addressee. This message and any attachments have been scanned for viruses prior to leaving the Vocalink network. Vocalink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. Please note, Vocalink may monitor emails sent to and from the Vocalink network. *************************************************************