Hello Daniel, Thank you for your replies.
Yes, I have the Java build 1.7.0_71 installed and I have the Unlimited security package installed as the application from the vendor requires it. Ok, you say never to edit the catalina,sh. I can change it back. The settings originally was SSL_VERSION="-Dhttps.protocol=TLSv1" Why is it set for only one version in the catalina.sh what is having this set to one version limiting us to? Our connector has this set in it: sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" Is this all we need to allow TLSv1.2 clients to come in and for Tomcat acting as a client to go out as TLSv1.2? -Joleen On Tue, Jun 21, 2016 at 5:53 PM, Daniel Savard <daniel.sav...@gmail.com> wrote: > 2016-06-21 14:12 GMT-04:00 Joleen Barker <oldenuf2no...@gmail.com>: > > > Hello Tomcat friends, > > > > I am looking for some understanding on what is happening in my > environment > > to make sure I am not missing anything in my settings. > > > > Basics: > > 1) OS is GNU/Linux > > 2) Java is JDK v1.7 > > 3) Tomcat 7 > > > > First, this question has come up because we needed to allow TLSv1.2 > > connections to our application. I was looking for how someone would do > this > > and found 2 items. The first was to set the java https protocol to allow > > TLSv1.2 because by default java 7 did not have this enabled. The other > was > > to set in Tomcat the SSL_VERSION parameter in catalina.sh. The site I > read > > to set the SSL_VERSION in the catalina.sh indicated the user had to do > this > > because his Tomcat would not talk to another Tomcat without this set. > When > > I went in and looked the SSL_VERSION was set to TLSv1, so I added 1.1 and > > 1.2 with the following command: > > > > SSL_VERSION="-Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2" > > > > This change was easy to make but I learned a restart was needed for the > > change it take place. > > > > Never ever edit catalina.sh, this is bad practice and strongly discouraged. > This file lies in the official binary distribution tree and should never > been tempered with. There is other ways to configure properly Tomcat. If > you change the connector properties, which is what you need to do to enable > TLSv1.2, there is not turnaround for a restart. > > > > > > Prior to me finding the change to make above I was reading to make the > > change for Java (not through Tomcat) I would run the command on the > command > > line: > > > > java -Dhttps.protocol=TLSv1,TLSv1.1,TLSv1.2 > > > > no matter how I ran this the command would not be taken. > > > > > Of course it would not affect another process than itself. This is totally > useless to execute this command alone. > > > > I did not think only making the change to the SSL_VERSION was enough but > my > > colleague decided to try connecting to the Tomcat server with an SSH > client > > and we received the notification that the TLSv1.2 connection was good. > > > > We finally were able to get a console working on the server and to our > > surprise Java's console did not have any of the TLS versions enabled and > > only the SSL versions. > > > > So I am confused here. It doesn't seem like Tomcat is relying on Java's > > settings matching what is in the catalina.sh file and works without > setting > > these in the java console. > > > > Why is that? > > > > Thanks for improving my knowledge. > > > > -Joleen > > > > You need to setup properly Tomcat othewise a setting somewhere may be > override elsewhere. For your connector to support TLSv1.2, you need to edit > the server.xml file and nothing else. > > The other thing you will need to do, is to make the necessary steps for > your version of Java to support the TLSv1.2 if it doesn't support it yet. > You didn't mention which version of Java 7 exactly you are using. Did you > install the Unlimited JDK security package? > > Did you read the documentation on TLS/SSL? > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > > ----------------- > Daniel Savard >
