2016-06-21 14:12 GMT-04:00 Joleen Barker <oldenuf2no...@gmail.com>: > Hello Tomcat friends, > > I am looking for some understanding on what is happening in my environment > to make sure I am not missing anything in my settings. > > Basics: > 1) OS is GNU/Linux > 2) Java is JDK v1.7 > 3) Tomcat 7 > > First, this question has come up because we needed to allow TLSv1.2 > connections to our application. I was looking for how someone would do this > and found 2 items. The first was to set the java https protocol to allow > TLSv1.2 because by default java 7 did not have this enabled. The other was > to set in Tomcat the SSL_VERSION parameter in catalina.sh. The site I read > to set the SSL_VERSION in the catalina.sh indicated the user had to do this > because his Tomcat would not talk to another Tomcat without this set. When > I went in and looked the SSL_VERSION was set to TLSv1, so I added 1.1 and > 1.2 with the following command: > > SSL_VERSION="-Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2" > > This change was easy to make but I learned a restart was needed for the > change it take place. >
Never ever edit catalina.sh, this is bad practice and strongly discouraged. This file lies in the official binary distribution tree and should never been tempered with. There is other ways to configure properly Tomcat. If you change the connector properties, which is what you need to do to enable TLSv1.2, there is not turnaround for a restart. > > Prior to me finding the change to make above I was reading to make the > change for Java (not through Tomcat) I would run the command on the command > line: > > java -Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2 > > no matter how I ran this the command would not be taken. > > Of course it would not affect another process than itself. This is totally useless to execute this command alone. > I did not think only making the change to the SSL_VERSION was enough but my > colleague decided to try connecting to the Tomcat server with an SSH client > and we received the notification that the TLSv1.2 connection was good. > > We finally were able to get a console working on the server and to our > surprise Java's console did not have any of the TLS versions enabled and > only the SSL versions. > > So I am confused here. It doesn't seem like Tomcat is relying on Java's > settings matching what is in the catalina.sh file and works without setting > these in the java console. > > Why is that? > > Thanks for improving my knowledge. > > -Joleen > You need to setup properly Tomcat othewise a setting somewhere may be override elsewhere. For your connector to support TLSv1.2, you need to edit the server.xml file and nothing else. The other thing you will need to do, is to make the necessary steps for your version of Java to support the TLSv1.2 if it doesn't support it yet. You didn't mention which version of Java 7 exactly you are using. Did you install the Unlimited JDK security package? Did you read the documentation on TLS/SSL? http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html ----------------- Daniel Savard
