Hi Chuck. I just also took interest to dig this issue.
The Document which you were referring http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native, is clearly stated that only SSLv2, SSLv3, TLSv1 is support by SSLProtocol Attribute. SSLCipherSuite will only be supported cipher available in SSLv2,SSLv3, TLSV1. TLSv1.1 and TLSV1.2 supported Cipher can't be invoked until TLSv1.1 and TLSv1.2 is enabled.see the supported Cipher list on TLSV1.2 on openssl link. http://www.openssl.org/docs/apps/ciphers.html#TLS_v1_2_cipher_suites I am happy to see if someone enabled below ciphers without enabling the TLSv1.2 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384 Regards, San On Fri, Jan 3, 2014 at 12:59 PM, Mudassir Aftab <withmudas...@gmail.com>wrote: > > > ---------- Forwarded message ---------- > From: Caldarale, Charles R <chuck.caldar...@unisys.com> > Date: Fri, Jan 3, 2014 at 10:45 AM > Subject: RE: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > To: Tomcat Users List <users@tomcat.apache.org> > > > > From: Mudassir Aftab [mailto:withmudas...@gmail.com] > > Subject: Re: TLS is not working in 6.0.37, 7.0.42, 7.0.47 > > > Should i use following APR connector attribute ? > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11AprProtocol" > > maxThreads="200" > > sslProtocol="TLSv1" sslEnabledProtocols="TLSv1.2" > > clientAuth="false" > > ciphers="AES256-SHA256" > > scheme="https" secure="true" SSLEnabled="true" > > SSLCertificateFile="p.pem" > > SSLCertificateKeyFile="key.pem" > > SSLCACertificateFile="AdminCA1.pem" /> > > For the third time, the APR <Connector> has no sslProtocol nor > sslEnabledProtocols attributes; the proper ones for specifying the protocol > and encryption algorithms are SSLProtocol and SSLCipherSuite, respectively. > For the last time, read the doc: > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > (If you don't start paying attention to the responses you're getting, you > will end up just being ignored.) > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
