Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Thu, 14 Oct 2021 03:41:16 -0700 

On 14/10/2021 10:28, Natraj Thekkan wrote:

Hi,

We are using tomcat version 9.0.46.
Could you please provide suggestion to restrict the TLS version in HTTP2 over 
HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that is being used by the clients. 

You should be able to remove to remove the

sslHostConfig.setSslProtocol("TLS");

line. It is only used with JSSE.

Mark




Regards,
Natraj
From: Natraj Thekkan
Sent: Wednesday, October 13, 2021 10:15 AM
To: 'users@tomcat.apache.org' <users@tomcat.apache.org>
Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Hi,

We have tried to restrict the TLS version in https connection establishment in 
embedded tomcat for OpenSSL based implementation. With this part of the code, 
TLSv1.0/TLSv1.1 client also able to connect with our https server. Please let 
us know how we can restrict the TLS version in HTTP2 over HTTPS in OpenSSL 
implementation.

Below code is used while creating connector.

private final String[] enabledProtocol = new String[] { "TLSv1.2" };


SSLHostConfig sslHostConfig = new SSLHostConfig();

sslHostConfig.setInsecureRenegotiation( false );

sslHostConfig.setCertificateFile( certLocation );

sslHostConfig.setCertificateKeyFile( certKeyLocation );

sslHostConfig.setCertificateKeyPassword( certKeyPassword );

if( isClientAuthreq && caCertificatePath != null && 
!caCertificatePath.isEmpty() )

{

sslHostConfig.setCertificateVerification( 
CertificateVerification.REQUIRED.toString() );

sslHostConfig.setCaCertificateFile( caCertificatePath );

}

sslHostConfig.setSslProtocol("TLS");

sslHostConfig.setEnabledProtocols( enabledProtocol );
this.addSslHostConfig( sslHostConfig );
IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
IntrospectionUtils.setProperty( this, "sslImplementationName", 
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );


Regards,
Natraj




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to