TechQA.

How to enable TLS1.2 for tomcat webserver connections We are using tomcat 7.0.82

5.7k views Asked by At

I have a tomcat webapp where the client is using TLS1.2 but a technical scan found the server is still using TLS1.0. I want to enable TLS1.2. We are using Java 7 and the connector snippet for the server.xml is as below,

   <Connector SSLEnabled="true" acceptCount="100" clientAuth="true" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000" 
            socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2024" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" 
            keystoreFile="/cert/fic_rest.jks" keystorePass="********" 
            truststoreFile="/cert/fic_rest.jks" server="UnIdentified" compression="on" compressionMinSize="2048" 
            noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
    />
<!-- Define an AJP 1.3 Connector on port 2023 -->
<Connector port="2023" protocol="AJP/1.3" redirectPort="2022" />

    <Connector  acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000" 
            socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2020" protocol="org.apache.coyote.http11.Http11NioProtocol" server="UnIdentified"
    />

Would changing "sslProtocol="TLS" to "sslProtocol="TLSv1.2" is all that is enough? We are using tomcat 7.0.82

java ssl tomcat tomcat7 server.xml
Original Q&A
1

There are 1 answers

2
Piotr P. Karwasz On BEST ANSWER

The sslProtocol configuration protocol does next to nothing: it only specifies which SSLContext to use, but from the perspective of a server this does not restrict anything. Any version of SSLContext sets the default SSL server protocols to the entire list of supported protocols (cf. source code).

Therefore you need to set sslEnabledProtocols="TLSv1.2" (cf. Tomcat documentation) to restrict the accepted protocol versions to only TLS 1.2. You can then test your configuration using curl.

However, if usage of TLS versions less then 1.2 is a security constraint for the whole system (cf. this question) by adding the following line to $JRE_HOME/lib/security/java.security:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1

Warning: this will influence all TLS connections in Java, even those with old databases.

Related Questions in JAVA

Related Questions in SSL

Related Questions in TOMCAT

Related Questions in TOMCAT7

Related Questions in SERVER.XML

Popular Questions

Trending Questions