Hi,
@Mark
Thanks for your response.
We have tested by removing that line of code, still client able to establish
the connection with server using TLSv1 and TLSv1.1. Below one is configured in
java.security file.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE,
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Please suggest the way to restrict the TLSv1,TLSv1.1 version when
OpenSSLImplementation is used.
Regards,
Natraj
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Thursday, October 14, 2021 4:11 PM
To: users@tomcat.apache.org
Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
On 14/10/2021 10:28, Natraj Thekkan wrote:
> Hi,
>
> We are using tomcat version 9.0.46.
> Could you please provide suggestion to restrict the TLS version in HTTP2 over
> HTTPS with OpenSSL implementation?.
The code below is sufficient, assuming that is then the connector that is being
used by the clients.
You should be able to remove to remove the
sslHostConfig.setSslProtocol("TLS");
line. It is only used with JSSE.
Mark
>
> Regards,
> Natraj
> From: Natraj Thekkan
> Sent: Wednesday, October 13, 2021 10:15 AM
> To: 'users@tomcat.apache.org' <users@tomcat.apache.org>
> Subject: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL
>
> Hi,
>
> We have tried to restrict the TLS version in https connection establishment
> in embedded tomcat for OpenSSL based implementation. With this part of the
> code, TLSv1.0/TLSv1.1 client also able to connect with our https server.
> Please let us know how we can restrict the TLS version in HTTP2 over HTTPS in
> OpenSSL implementation.
>
> Below code is used while creating connector.
>
> private final String[] enabledProtocol = new String[] { "TLSv1.2" };
>
>
> SSLHostConfig sslHostConfig = new SSLHostConfig();
>
> sslHostConfig.setInsecureRenegotiation( false );
>
> sslHostConfig.setCertificateFile( certLocation );
>
> sslHostConfig.setCertificateKeyFile( certKeyLocation );
>
> sslHostConfig.setCertificateKeyPassword( certKeyPassword );
>
> if( isClientAuthreq && caCertificatePath != null &&
> !caCertificatePath.isEmpty() )
>
> {
>
> sslHostConfig.setCertificateVerification(
> CertificateVerification.REQUIRED.toString() );
>
> sslHostConfig.setCaCertificateFile( caCertificatePath );
>
> }
>
> sslHostConfig.setSslProtocol("TLS");
>
> sslHostConfig.setEnabledProtocols( enabledProtocol );
> this.addSslHostConfig( sslHostConfig );
> IntrospectionUtils.setProperty( this, "SSLEnabled", "true" );
> IntrospectionUtils.setProperty( this, "sslImplementationName",
> "org.apache.tomcat.util.net.openssl.OpenSSLImplementation" );
>
>
> Regards,
> Natraj
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
