On 17/07/2020 21:47, James H. H. Lampert wrote: > Running two connectors seems to work just fine, but I'm having trouble > getting one of them to only take TLS 1.2 > > In reply to my query: > >>> Given all this, is it possible to (1) have Tomcat listen on two separate >>> HTTPS ports, and (2) have one of the ports require TLS 1.2, but the >>> other accept something our AS/400 can use? > > On 7/17/20 10:03 AM, Mark Thomas wrote: > >> Yes. You need two Connector elements specifying different ports and >> different protocols. They should be able to use the same certificate >> configuration. > > I just ran a test on our development Amazon EC2 instance, and verified > that I could listen on two different ports (existing 8443 and now 7443), > and I limited (or so I thought) 8443 (to which I have 443 rerouted > through iptables) to TLS 1.2. > > Except that SSLLabs tells me it's still accepting TLS 1.0 and 1.1! > > I commented out the connector for 8443 and restarted Tomcat, but it's > still giving the same report from SSLLabs. > > The connector for 8443 in server.xml looks like this (lines truncated): >> <Connector port="8443" proxyPort="443" protocol="org.apache.coyote.http1$ >> compression="on" compressionMinSize="2048" noCompressionUserAgents="goz$ >> maxThreads="1000" socket.appReadBufSize="1024" socket.app$ >> keystoreFile="/etc/tomcat8/dev.REDACTED.net.ks" keyAlias=$ >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256$ >> clientAuth="false" sslProtocol="TLSv1.2" /> > > The 'sslProtocol="TLSv1.2"' clause is copied directly from the Tomcat 7 > installation on our most security-conscious customer's AS/400; this > Tomcat is 8.5. Am I specifying it wrong?
I should probably remind myself why this is the way this is. You want: sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" And to answer my question above, because that is the way the JSSE API has been written. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org