FW: Tomcat 8.5.50.0: Unable to disable TLSv1.1 in protocol="org.apache.coyote.http11.Http11NioProtocol"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

FW: Tomcat 8.5.50.0: Unable to disable TLSv1.1 in protocol="org.apache.coyote.http11.Http11NioProtocol"

Eric Lee
Hi,

I'm running Tomcat 8.5.50.0 on JRE 1.8.0_241-b07 on Solaris 5.11. Like many other people, I've failed to disable TLSv1, TLSv1.1 etc.

Here is a snippet of server.xml:


    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"

               relaxedQueryChars="[]"

               maxThreads="150" SSLEnabled="true">

        <SSLHostConfig>

            sslEnabledProtocols="TLSv1.2,TLSv1.3"

            <Certificate

                        certificateKeystoreFile="conf/***********.jks"

                        certificateKeystorePassword="******"

                        certificateKeyPassword="******"

                        certificateKeyAlias="*******************"

                         type="RSA" />

        </SSLHostConfig>

    </Connector>

In fact, configuring any of these had absolutely no effect all and no message or error in catalina.out:

sslEnabledProtocols="TLSv1.2,TLSv1.3"

sslProtocol="TLSv1.2"

protocols="TLSv1.2,TLSv1.3"


Tomcat continues to happily allow a TLS1 connection:


$ openssl s_client -connect 127.0.0.1:443</dev/null -tls1

[SNIP]

SSL handshake has read 3121 bytes and written 321 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1

    Cipher    : ECDHE-RSA-AES256-SHA

    Session-ID: 5FFD6A60DF76BF269E4E2AFF6FAFEA58F85FBE381803355B76C2056B663B98C7

    Session-ID-ctx:

    Master-Key: FFD11889EC7BEF958EA1D0D00E57A04BF1F283EE27632B75E1AD1D7DAAE83510AC85CD7E890A58A7F7C0C6F0B56F0C61

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1610443360

    Timeout   : 7200 (sec)

    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

Best regards

Eric Lee






*************************************************************
This email is issued by Vocalink Limited, a Mastercard company.  Vocalink Limited (Company No 06119048, VAT No. 907 9619 87) is registered in England at 1 Angel Lane, London, EC4R 3AB, United Kingdom.

This message is confidential to the original addressee. This message and any attachments have been scanned for viruses prior to leaving the Vocalink network.  Vocalink does not guarantee the security of this message and will not be responsible for any damages arising as a result of any virus being passed on or arising from any alteration of this message by a third party. Please note, Vocalink may monitor emails sent to and from the Vocalink network.

*************************************************************