Chris, Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig element. It is resulting in the following exception:
INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"] SEVERE - Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio -58043"] java.lang.IllegalArgumentException: sslUtilBase.noneSupported at org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80) at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47) at org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148) at org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImplementat ion.java:49) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEnd point.java:83) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:839) Thanks, Venkat ________________________________ From: Christopher Schultz <ch...@christopherschultz.net> Sent: Wednesday, August 10, 2016 4:55:18 PM To: Tomcat Users List Subject: Re: Tomcat v8.5.3 SSL Configuration? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Venkat, On 8/10/16 12:43 PM, venkatesham nalla wrote: > I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2, > but it is not working on AIX. It is only supporting TLSv1. I have > added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well. I'm not sure that system property does anything, since Tomcat explicitly-configures its own SSLServerSocketFactory. > Java version 1.7.0 IBM J9 VM SR1. > > Tomcat 7.0.39 is working with the following config on the same > machine with same JDK > > ---------------------------------------------------------------------- - ---------------------------------------- > > <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false" > sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." /> > > Tomcat 8.5.3 SSL Configuration > > ----------------------------------------- > > <Connector port="58043" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> > <SSLHostConfig> <Certificate protocols="-TLSv1" > certificateKeystoreFile="..." > certificateKeystorePassword="changeit" certificateKeyAlias="..." > sslProtocol="TLS" /> </SSLHostConfig> </Connector> You have two problems, here: 1. The "protocols" attribute goes on the <SSLHostConfig> element, not the nested <Certificate> element. 2. The value of "-TLSv1" by itself doesn't do what you think it does. The default list of protocols is "none", so you'll have to add "all" first. So your value needs to be "TLSv1.2,TLSv1.1" just like it was for Tomcat 7, or you need to use something like "all,-TLSv1" to get it to use "all default protocols, except for TLSv1". - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXq1x2AAoJEBzwKT+lPKRYo2MQAJmFahBS/K112A6rNhxWsMzP gMLsRMf8EpRePiU3cUqwkA/pVMWOEHNFhKG1RPVRxGyKMcrBD9v8qZkiADpMLumw /2IWSBt0P3bqaHvU8Nt0Fw3jt7BVLsbKvOaojf6ttz8WJB87NH6exLr2S5Wxb+OK Nl6ZZ4E6lFDqLuFvC1c0Ajl35ZgECJOtRRCe6iHoh5Gup62bvluBDnaghSyvxTQd 7130lMlmDQZmVpfF35sPWAc3rxZPKD4vlQY7wkBjqbyPhhqG6CNvkzbKEICIYxZL sF2Y56t/vdbRnpwX+57QLG4+VAEiKzd2x6VqtYvjZPbZb5lPWSGYl6HVlKKNtBdL kBtie7vPJiqnAFoPVWuuIrXG/2ZTo2kJT0G5/2M9j3OnGbmgAmOmwHddGB84dkcH whg/scqC2+yCWaOZ/rvbcWyed/vXU9f819bGAQgHcparSp3BVvxdQ8K6kor6YHTP 7D7Dg/EMqmFiU7RaITsoWh8v46mVoUVxpcK2DMXovXzCAG1M4NUPFAoLtkDawFkg 6rFK7wfHapm45UpCwq48EhXfmIxxtSZjOZmjFEOglhbM2wXj8v8q+WF1s5onhzW1 0aLMTslgXuAB+B/RpHQUc5UgIYT9PxLys5MIbcXd46ElcTqFHHeDNdYQmQ28X0YG e348uesCFhvThpj9Joko =NgBM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org