Re: How to allow only TLS 1.1 connections to Tomcat (6.0) server with https ?

Wed, 06 Mar 2013 21:07:31 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ognjen,

On 3/6/13 2:51 AM, Ognjen Blagojevic wrote:
> Chris,
> 
> On 6.3.2013 7:02, Christopher Schultz wrote:
>>> So in Tomcat 7 you might use:
>>> 
>>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1"
>>> 
>>> and in Tomcat 6.0.32:
>>> 
>>> sslProtocol="TLSv1.1" protocols="TLSv1.1"
>>> 
>>> 
>>> It works for me.
>> 
>> Can you file a bug for this? That should be a) documented and b) 
>> accept either "protocol" or "sslEnabledProtocols" to make it
>> line-up with Tomcat 7.0.
> 
> Sure, I will. But, before I do, I just want to point out here to
> another issue:
> 
> Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and 
> Tomcat 7.0.37 comes pre-configured -- enables different groups of 
> protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable
> SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable
> SSLv3 and TLSv1. This is counter-intuitive and might introduce
> problems when upgrading from Tomcat 6 to Tomcat 7.
> 
> Which behavior is right? I prefer how Tomcat 6 is interepreting
> that attribute -- trying to enable best possible TLS protocol
> versions available.
> 
> OTOH, from Tomcat 7 documents it seems that the value of attribute 
> setProtocol is just passed to JSSE when creating SSLContext. I
> assume that Tomcat 6 did some pre-processing before passing that
> attribute to SSLContext.

Are you sure it's not a JVM default and not Tomcat's default? Tomcat's
default in both situations is "TLS" which may mean different things
depending upon the JVM configuration.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlE4HokACgkQ9CaO5/Lv0PDd4ACgkvVWVUFV9WmU48gzZbVuHk21
+LUAn3/eD+r/p9YRa24+zNCnSueAMoOf
=Dupb
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to