Chris,
Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig element. It is
resulting in the following exception:
INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"]
SEVERE - Failed to initialize end point associated with ProtocolHandler
["https-jsse-nio
-58043"]
java.lang.IllegalArgumentException: sslUtilBase.noneSupported
at
org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47)
at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148)
at
org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementat
ion.java:49)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEnd
point.java:83)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:839)
Thanks,
Venkat
________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, August 10, 2016 4:55:18 PM
To: Tomcat Users List
Subject: Re: Tomcat v8.5.3 SSL Configuration?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Venkat,
On 8/10/16 12:43 PM, venkatesham nalla wrote:
> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2,
> but it is not working on AIX. It is only supporting TLSv1. I have
> added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well.
I'm not sure that system property does anything, since Tomcat
explicitly-configures its own SSLServerSocketFactory.
> Java version 1.7.0 IBM J9 VM SR1.
>
> Tomcat 7.0.39 is working with the following config on the same
> machine with same JDK
>
> ----------------------------------------------------------------------
- ----------------------------------------
>
> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false"
> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." />
>
> Tomcat 8.5.3 SSL Configuration
>
> -----------------------------------------
>
> <Connector port="58043"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>
> <SSLHostConfig> <Certificate protocols="-TLSv1"
> certificateKeystoreFile="..."
> certificateKeystorePassword="changeit" certificateKeyAlias="..."
> sslProtocol="TLS" /> </SSLHostConfig> </Connector>
You have two problems, here:
1. The "protocols" attribute goes on the <SSLHostConfig> element, not
the nested <Certificate> element.
2. The value of "-TLSv1" by itself doesn't do what you think it does.
The default list of protocols is "none", so you'll have to add "all"
first. So your value needs to be "TLSv1.2,TLSv1.1" just like it was
for Tomcat 7, or you need to use something like "all,-TLSv1" to get it
to use "all default protocols, except for TLSv1".
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXq1x2AAoJEBzwKT+lPKRYo2MQAJmFahBS/K112A6rNhxWsMzP
gMLsRMf8EpRePiU3cUqwkA/pVMWOEHNFhKG1RPVRxGyKMcrBD9v8qZkiADpMLumw
/2IWSBt0P3bqaHvU8Nt0Fw3jt7BVLsbKvOaojf6ttz8WJB87NH6exLr2S5Wxb+OK
Nl6ZZ4E6lFDqLuFvC1c0Ajl35ZgECJOtRRCe6iHoh5Gup62bvluBDnaghSyvxTQd
7130lMlmDQZmVpfF35sPWAc3rxZPKD4vlQY7wkBjqbyPhhqG6CNvkzbKEICIYxZL
sF2Y56t/vdbRnpwX+57QLG4+VAEiKzd2x6VqtYvjZPbZb5lPWSGYl6HVlKKNtBdL
kBtie7vPJiqnAFoPVWuuIrXG/2ZTo2kJT0G5/2M9j3OnGbmgAmOmwHddGB84dkcH
whg/scqC2+yCWaOZ/rvbcWyed/vXU9f819bGAQgHcparSp3BVvxdQ8K6kor6YHTP
7D7Dg/EMqmFiU7RaITsoWh8v46mVoUVxpcK2DMXovXzCAG1M4NUPFAoLtkDawFkg
6rFK7wfHapm45UpCwq48EhXfmIxxtSZjOZmjFEOglhbM2wXj8v8q+WF1s5onhzW1
0aLMTslgXuAB+B/RpHQUc5UgIYT9PxLys5MIbcXd46ElcTqFHHeDNdYQmQ28X0YG
e348uesCFhvThpj9Joko
=NgBM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
