Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Mark, On 10/19/21 04:17, Mark Thomas wrote: On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. +1 I was suggesting a related beehavior in Tomcat that would not affect the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi, @ Thomas Hoffmann, Mark and Chris, Thanks for your suggestion. We have done changes as per the xml configuration provided by Thomas Hoffmann and then verified the scenario. Now, client connection with TLS1.1 and TLS1.0 are restricted as expected.

AW: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hello, I can recommend SSLScan for verifying your configuration: https://github.com/rbsec/sslscan/releases/tag/2.0.10 Example configuration which I use: SSLScan reports this result: SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

On 19/10/2021 06:20, Natraj Thekkan wrote: Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi Mark or Chris, Based on Chris statement, it has to be addressed in tomcat. Can I raise a Bug in Bugzilla for this observation?. Regards, Natraj -Original Message- From: Christopher Schultz Sent: Monday, October 18, 2021 10:14 PM To: users@tomcat.apache.org Subject: Re: Restriction

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Natraj, On 10/18/21 01:19, Natraj Thekkan wrote: @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

On 18/10/2021 06:19, Natraj Thekkan wrote: Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi, @Mark Thanks for your response. We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.

Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

On 14/10/2021 10:28, Natraj Thekkan wrote: Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. The code below is sufficient, assuming that is then the connector that is being used by the

RE: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi, We are using tomcat version 9.0.46. Could you please provide suggestion to restrict the TLS version in HTTP2 over HTTPS with OpenSSL implementation?. Regards, Natraj From: Natraj Thekkan Sent: Wednesday, October 13, 2021 10:15 AM To: 'users@tomcat.apache.org' Subject: Restriction of TLS

Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi, We have tried to restrict the TLS version in https connection establishment in embedded tomcat for OpenSSL based implementation. With this part of the code, TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let us know how we can restrict the TLS version in HTTP2