Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Wed, 20 Oct 2021 10:40:19 -0700 

Mark,

On 10/19/21 04:17, Mark Thomas wrote:

On 19/10/2021 06:20, Natraj Thekkan wrote:

Hi Mark or Chris,

Based on Chris statement, it has to be addressed in tomcat.


No, you has misunderstood Chris's statement.


+1
I was suggesting a related beehavior in Tomcat that would not affect the behavior OP is reporting, here. 


All the evidence so far points to user error.

+1

-chris


-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, October 18, 2021 10:14 PM
To: users@tomcat.apache.org
Subject: Re: Restriction of TLS version in HTTP2 over HTTPS with OpenSSL

Natraj,

On 10/18/21 01:19, Natraj Thekkan wrote:

@Mark
    Thanks for your response.
We have tested by removing that line of code, still client able to establish the connection with server using TLSv1 and TLSv1.1. Below one is configured in java.security file.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1,TLSv1.1,RC4,MD5withRSA,ADH,DH,DHE, 
      DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
      include jdk.disabled.namedCurves


Note that OpenSSL will ignore the jdk.tls.disabledAlgorithms setting.
Mark (and others), maybe we should take jdk.tls.disabledAlgorithms into account when configuring OpenSSL through JSSE, since a user might expect that all JSSE providers will respect that setting. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to