Hello, I can recommend SSLScan for verifying your configuration: https://github.com/rbsec/sslscan/releases/tag/2.0.10
Example configuration which I use: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" maxThreads="150" minSpareThreads="25" URIEncoding="UTF-8" useBodyEncodingForURI="false" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" compression="force" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" disableSessionTickets="true" honorCipherOrder="false" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyFile="../xxx.key" certificateFile="../xxx.pem" type="RSA" /> </SSLHostConfig> </Connector> SSLScan reports this result: SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled Greetings, Thomas -----Ursprüngliche Nachricht----- Von: Mark Thomas <ma...@apache.org> Gesendet: Dienstag, 19. Oktober 2021 10:18 An: users@tomcat.apache.org Betreff: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL On 19/10/2021 06:20, Natraj Thekkan wrote: > Hi Mark or Chris, > > Based on Chris statement, it has to be addressed in tomcat. No, you has misunderstood Chris's statement. All the evidence so far points to user error. Again, you need to provide the simplest, *complete* test case (i.e. the source code for an executable Java class that starts a Tomcat instance that listens for HTTP/2 connections) that responds to TLS 1.0 and 1.1 connections when configured not to. > Can I raise a Bug in Bugzilla for this observation?. No. Mark > > Regards, > Natraj > -----Original Message----- > From: Christopher Schultz <ch...@christopherschultz.net> > Sent: Monday, October 18, 2021 10:14 PM > To: users@tomcat.apache.org > Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with > OpenSSL > > Natraj, > > On 10/18/21 01:19, Natraj Thekkan wrote: >> @Mark >> Thanks for your response. >> >> We have tested by removing that line of code, still client able to establish >> the connection with server using TLSv1 and TLSv1.1. Below one is configured >> in java.security file. >> >> jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, >> DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ >> include jdk.disabled.namedCurves > > Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting. > > Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into > account when configuring OpenSSL through JSSE, since a user might expect that > all JSSE providers will respect that setting. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org