Hello Tomcat friends, I am looking for some understanding on what is happening in my environment to make sure I am not missing anything in my settings.
Basics: 1) OS is GNU/Linux 2) Java is JDK v1.7 3) Tomcat 7 First, this question has come up because we needed to allow TLSv1.2 connections to our application. I was looking for how someone would do this and found 2 items. The first was to set the java https protocol to allow TLSv1.2 because by default java 7 did not have this enabled. The other was to set in Tomcat the SSL_VERSION parameter in catalina.sh. The site I read to set the SSL_VERSION in the catalina.sh indicated the user had to do this because his Tomcat would not talk to another Tomcat without this set. When I went in and looked the SSL_VERSION was set to TLSv1, so I added 1.1 and 1.2 with the following command: SSL_VERSION="-Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2" This change was easy to make but I learned a restart was needed for the change it take place. Prior to me finding the change to make above I was reading to make the change for Java (not through Tomcat) I would run the command on the command line: java -Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2 no matter how I ran this the command would not be taken. I did not think only making the change to the SSL_VERSION was enough but my colleague decided to try connecting to the Tomcat server with an SSH client and we received the notification that the TLSv1.2 connection was good. We finally were able to get a console working on the server and to our surprise Java's console did not have any of the TLS versions enabled and only the SSL versions. So I am confused here. It doesn't seem like Tomcat is relying on Java's settings matching what is in the catalina.sh file and works without setting these in the java console. Why is that? Thanks for improving my knowledge. -Joleen
