When SSLv3 is enabled, it seems TLS1.1 and TLS 1.2 are supported however. It seems strange that the SSLv3 option controls the availability of TLS1.1 and TLS1.2.
Now that SSLv3 is considered insecure and more people start to disable it, I suppose many on APR/Native will encounter the same issue. Is there any way to preserve TLS1.1 & TLS1.2 whilst disabling SSLv3? Regards John On Wed, Oct 15, 2014 at 3:09 PM, Giles Coochey <gi...@coochey.net> wrote: > On 15/10/2014 14:03, John Blaut wrote: > > I am using Tomcat 7. I can reproduce the issue even on Native 1.1.30. > > > > Apologies, yes Apr/Native only supports SSLv2, SSLv3 & TLSv1.0 > > SSLProtocol > > Protocol which may be used for communicating with clients. The default > value is all, which is equivalent to SSLv3+TLSv1 with other acceptable > values being SSLv2, SSLv3, TLSv1 and any combination of the three > protocols concatenated with a plus sign. Note that the protocol SSLv2 is > inherently unsafe. > > > http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native > > -- > Regards, > > Giles Coochey, CCNP, CCNA, CCNAS > NetSecSpec Ltd+44 (0) 8444 780677+44 (0) 7584 > 634135http://www.coochey.nethttp://www.netsecspec.co.ukgi...@coochey.net > >
