James,
the most recent connector attribute is "protocols". The documentation is a bit vague on this saying there is an overlap between the two, yet I don't know if the overlap is there if protocols is unset and defaults to "all".... https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support Peter > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > <jam...@touchtonecorp.com.invalid>: > > I think this may have come up before, but I don't recall how it was resolved. > > On customer box #1, I have: > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" > address="<REDACTED>" > maxThreads="400" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" keyAlias="<REDACTED>" > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > But on customer box #2, I have: > > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" keyAlias="<REDACTED>" > clientAuth="false" sslProtocol="TLSv1.2" /> > > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > > What could be wrong here? I vaguely recall seeing something like this before. > > -- > JHHL > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
