-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 3/13/19 20:38, James H. H. Lampert wrote: > Thanks, Mr. Schultz. > > I managed to find the IBM docs. At least some of the cipher suites > the customer is talking about are supported all the way back to > their 7.0 JVM. > > I've specified cipher suites by name in the connector, but I don't > think I've done protocols. "TLS," according to the IBM docs, > "Enables TLS v1.0 protocol (defined in RFC 2246). Accepts TLSv1 > hello encapsulated in an SSLv2 format hello." > > Sounds like I would need to enable TLSv1.1 and TLSv1.2 explicitly. > Would I change the sslProtocol clause from >> sslProtocol="TLS" > > to >> sslProtocol="TLSv1.1,TLSv1.2" > or even >> sslProtocol="TLSv1.2" > > and specify acceptable cipher suites in the ciphers clause? Specifying sslProtocol="TLS" is what you want, regardless of the actual protocols you want to support. It's ... odd, but you have to tell Java that you want "TLS" (generically) before you can tell it what /kind/ of TLS you want. I believe that Java will never accept any value other than "TLS" for that at this point. So you are left with sslEnabledProtocols... If you want to configure specific versions of TLS, this is where to do i t: sslEnabledProtocols="TLSv1.2, TLSv1.1, SSLv2Hello" (etc) If you can tolerate it, I'd enable only TLSv1.2. Some clients still require TLSv1. Virtually all clients supporting TLSv1.1 also support TLSv1.2, so it's almost useless to enable TLSv1.1. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyLsFgACgkQHPApP6U8 pFirkQ//TA0sE1AVpW7dr1/1+zkKZ/n9AIm6nKEnamcN6fF0rDchP+CW/uZMJjrF TuKQUEyOZjS8M7qU7t6HR7xdwt7JbpPQhZ07PYLqhxw0uNYfZnqQfc1AWz+pMLxD RNWPrtb9+A4uWI5B/c64rVJjD3Ig/dAZHH5xesspZrEwt12bTBVKdSa610pnN7Dr DFY3PSpxeF+86a5/SJwZFEU1iu36+8krA7H99qA4XBYiwC4UPxIoSqtNznmZ08dH kRrJ3EBSbDFB7/h/CqJUCnUyfJscal5ZYsALp/DKt1xpK7R3nGduRbgpsud5NcbD bl9RNoEZ2aQBJClO+FLumWPnOX2pqLqIB9QxSdqxdC9kRUiSflcAc1XJXtWcHWty PRXHEneG6AMe4uqJ7nzlxOBkCQlF7G3aShkbqPmmzV/IV0H3ncVt/4qW4fS+N5AR iv41tva/9M8Y39uFyWyvp0U5s6sby3xXC9jlI3aqdIkofxvTG1G7cNGZeGMHDxsX JY2e5k8/ZxKgaGifp6GWPNFt5fSiXpvVpJzQcBojwP4TP8D2cnxIyCZjPg0tUXiD U4gnJqA0b5oexPFFCA1qZUTl0xgBCeZxqS8NcDh8Nu+hb4N0ZT8tL/UvApD8ZmfB 2E7A3K+ny462SI6mcvTHMKIR1SPSYTQ3MD+yYvqtw3XOBCIR9Zg= =/zZH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
