-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Venkat,
Please bottom-post, or interleave your responses. It's much easier to follow the conversation and is the custom on this mailing list. See below for my response. On 8/10/16 2:37 PM, venkatesham nalla wrote: > Thank you. But when add protocols="all,-TLSv1" to SSLHostConfig > element. It is resulting in the following exception: > > > INFO - Initializing ProtocolHandler ["https-jsse-nio-58043"] SEVERE > - Failed to initialize end point associated with ProtocolHandler > ["https-jsse-nio -58043"] java.lang.IllegalArgumentException: > sslUtilBase.noneSupported at > org.apache.tomcat.util.net.SSLUtilBase.getEnabled(SSLUtilBase.java:80) > > at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:47) > at > org.apache.tomcat.util.net.jsse.JSSEUtil.<init>(JSSEUtil.java:148) > at > org.apache.tomcat.util.net.jsse.JSSEImplementation.getSSLUtil(JSSEImpl ementat > > ion.java:49) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract JsseEnd > > point.java:83) > at > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java :839) There > might be an implementation bug or maybe just a lack of clarity of the documentation. I would have expected "all,-TLSv1" to work. Try this instead: <SSLHostConfig protocols="TLSv1.1,TLSv1.2" ...> <Certificate ... /> </SSLHostConfig> If that doesn't work, either something else is wrong (wrong <Connector>? undisclosed reverse proxy?) or there is a bug in Tomcat. - -chris > ________________________________ From: Christopher Schultz > <ch...@christopherschultz.net> Sent: Wednesday, August 10, 2016 > 4:55:18 PM To: Tomcat Users List Subject: Re: Tomcat v8.5.3 SSL > Configuration? > > Venkat, > > On 8/10/16 12:43 PM, venkatesham nalla wrote: >> I am trying to configure Tomcat v8.5.3 with TLSv1.1 and TLSv1.2, >> but it is not working on AIX. It is only supporting TLSv1. I >> have added the -Dcom.ibm.jsse2.overrideDefaultTLS=true as well. > > I'm not sure that system property does anything, since Tomcat > explicitly-configures its own SSLServerSocketFactory. > >> Java version 1.7.0 IBM J9 VM SR1. > >> Tomcat 7.0.39 is working with the following config on the same >> machine with same JDK > >> --------------------------------------------------------------------- - - > >> - ---------------------------------------- > >> <Connector port="30143" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" scheme="https" secure="true" >> sslEnabledProtocols="TLSv1.2,TLSv1.1" clientAuth="false" >> sslProtocol="SSL" keystoreFile="..." keystorePa ss="..." /> > >> Tomcat 8.5.3 SSL Configuration > >> ----------------------------------------- > >> <Connector port="58043" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >>> >> <SSLHostConfig> <Certificate protocols="-TLSv1" >> certificateKeystoreFile="..." >> certificateKeystorePassword="changeit" certificateKeyAlias="..." >> sslProtocol="TLS" /> </SSLHostConfig> </Connector> > > You have two problems, here: > > 1. The "protocols" attribute goes on the <SSLHostConfig> element, > not the nested <Certificate> element. > > 2. The value of "-TLSv1" by itself doesn't do what you think it > does. The default list of protocols is "none", so you'll have to > add "all" first. So your value needs to be "TLSv1.2,TLSv1.1" just > like it was for Tomcat 7, or you need to use something like > "all,-TLSv1" to get it to use "all default protocols, except for > TLSv1". > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXq3cnAAoJEBzwKT+lPKRYRNEP/1cKXJ0RIDI2eaLmluMG35rG p5fiYt12TMXSa/dyxRifuceWMF+1fjJtXGuHQEr6KspZFCbuF4Kmn/1Xs/GaGj1+ Zr1RutpOB/MqJEYsFYznlVVuObljJgWFl+lO/8ROoeNGOv6gxAUMXprp1eJPaDJw hEZaTS7JZuk/WH3wL3ly/6X792B3+pGSyf8r+x8ctCs3+OgCgN60LT9P10gDQNE9 hHcEoe9LWrRfMvHaVWiZpFEibteCxDNVzu3BvZK4kEU2Q0SOK5H6hwwp316FOGdJ 0Wn6lgUu1SQHyXuJpPzkamDv+gva/8CpB74/EYz12/U7uajFwqNUYy2aXNOIWWMM R0VdPYmswD+qKHi+UqPqXWW6v57Aw+TKPng/Ec/G1hG5c6lsHlWnTgOm/ePG9Y+7 4TN7CrPL5SiyrwZy87N1rnP1nxRud6ilOIXjwPcKAVLoU/NyU6mo7ivctDrQVJku Img1dVgd3THrmar2tgdQWBglmowITGAZGSW0X4l+15oOPpqzp2QZIohH91+k2kSK Zl6/aHzLVZ3zMKdW3yzshfy7xBDZtUDj7vimOKv90t0a2IeB7ScF7av012ohkUpx rRSctwQbJX2u+bg+balkoDGCsd8zlyVEML/pdBx26XXx6iaNqw8u0q2xmt+VWji8 KQB0EhDqHl/e7jQH8w4C =IiV4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
