0

I'm new to tomcat. I've seen many links regarding changing the tls version in tomcat. All of them do one thing in common (ie) to configure the sslProtocol field in the below connector (in server.xml):

  <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLSv1.2" />

However I've changed this line to so many times to different versions. But whenever I test this using openssl, the server works only on TLSv1.2 and not any other versions. It seems that the field sslProtol in connector takes no effect on changing the TLS version. Is there anything that one needes to configure other than changing the version in the connector ? I've searched all over the web and stackoverflow and numerous answers. All seems to change the connector.

Is there anything other than configuring the connector to change the ssl/tls version like adding any external libraries or configuring the jdk or something like that .

Pk20
  • 3
  • 2
  • The `sslProtocol` attribute specifies the [`SSLContext` algorithm](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms). The value `TLSv1.2` usually means _"any TLS version"_. In the deprecated configuration syntax that you are using, you should use `sslEnabledProtocols`. – Piotr P. Karwasz Sep 26 '21 at 11:26

1 Answers1

0

Tomcat doesn't implemented SSL/TLS itself. Instead it relies on something external.

  • If you are using APR connectors, it uses on the OpenSSL engine installed on your platform.

  • If you are using BIO or NIO connectors, it uses the JSSE provider that your JVM is configured to use. That could either be the JSSE provider distributed as part of Java SE, or it could be a 3rd-party provider such as BounceCastle.

So ... if you can't get the "sslProtocol" parameter to actually select what you want, check that your JVM, JSSE provider or OpenSSL implementation actually supports the version you are trying to use.

Note that if you are using a "stack" that doesn't support (say) TLSv1.3, specifying that in the Connector config is not going to magically make it work. The SSL implementation code has to support it.

References:

Note that the above says what versions of SSL / TLS are supported by older versions of Java. It also provides some tips one figuring out what version is actually being used.

If you had told us clearly ...

  • what versions of SSL / TLS you were trying to use,
  • what Tomcat Connector class you were using, and
  • what versions of the respective software you were using ...

then I might have been able to give you more specific advice.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216