-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ognjen,
On 3/6/13 2:51 AM, Ognjen Blagojevic wrote: > Chris, > > On 6.3.2013 7:02, Christopher Schultz wrote: >>> So in Tomcat 7 you might use: >>> >>> sslProtocol="TLSv1.1" sslEnabledProtocols="TLSv1.1" >>> >>> and in Tomcat 6.0.32: >>> >>> sslProtocol="TLSv1.1" protocols="TLSv1.1" >>> >>> >>> It works for me. >> >> Can you file a bug for this? That should be a) documented and b) >> accept either "protocol" or "sslEnabledProtocols" to make it >> line-up with Tomcat 7.0. > > Sure, I will. But, before I do, I just want to point out here to > another issue: > > Attribute setProtocol="TLS" -- which is how both Tomcat 6.0.36 and > Tomcat 7.0.37 comes pre-configured -- enables different groups of > protocols on Tomcat 6 and Tomcat 7. Tomcat 6.0.36 will enable > SSLv3, TLSv1, TLSv1.1 and TLSv1.2, while Tomcat 7.0.37 will enable > SSLv3 and TLSv1. This is counter-intuitive and might introduce > problems when upgrading from Tomcat 6 to Tomcat 7. > > Which behavior is right? I prefer how Tomcat 6 is interepreting > that attribute -- trying to enable best possible TLS protocol > versions available. > > OTOH, from Tomcat 7 documents it seems that the value of attribute > setProtocol is just passed to JSSE when creating SSLContext. I > assume that Tomcat 6 did some pre-processing before passing that > attribute to SSLContext. Are you sure it's not a JVM default and not Tomcat's default? Tomcat's default in both situations is "TLS" which may mean different things depending upon the JVM configuration. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlE4HokACgkQ9CaO5/Lv0PDd4ACgkvVWVUFV9WmU48gzZbVuHk21 +LUAn3/eD+r/p9YRa24+zNCnSueAMoOf =Dupb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org