Hello, > -----Ursprüngliche Nachricht----- > Von: Peter Kreuser <l...@kreuser.name> > Gesendet: Mittwoch, 10. August 2022 08:44 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have > sslProtocol="TLSv1.2" > > > > James, > > the most recent connector attribute is "protocols". The documentation is a bit > vague on this saying there is an overlap between the two, yet I don't know if > the > overlap is there if protocols is unset and defaults to "all".... > https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support > > Peter > > > Am 10.08.2022 um 00:15 schrieb James H. H. Lampert > <jam...@touchtonecorp.com.invalid>: > > > > I think this may have come up before, but I don't recall how it was > > resolved. > > > > On customer box #1, I have: > > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" > address="<REDACTED>" > > maxThreads="400" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > keyAlias="<REDACTED>" > > > ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WI > TH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" > > clientAuth="false" sslProtocol="TLSv1.2" /> > > > > and an SSLLabs scan shows it accepting only TLSv1.2, as it should. > > > > But on customer box #2, I have: > > > > <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="<REDACTED>/tomcat/wttomcat.ks" > keyAlias="<REDACTED>" > > clientAuth="false" sslProtocol="TLSv1.2" /> > > > > and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2. > > > > What could be wrong here? I vaguely recall seeing something like this > > before. > > > > -- > > JHHL > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > >
I have configured my connector as follows: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" maxThreads="150" minSpareThreads="25" URIEncoding="UTF-8" useBodyEncodingForURI="false" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" compression="off" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" disableSessionTickets="true" honorCipherOrder="false" protocols="+TLSv1.2,+TLSv1.3"> <Certificate certificateKeyFile="../xx.key" certificateFile="../xx.pem" type="RSA" /> </SSLHostConfig> </Connector> This gives a good grade when checking with ssllabs. Only TLS 1.2 and 1.3 are enabled. Greetins, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org