I have a tomcat webapp where the client is using TLS1.2 but a technical scan found the server is still using TLS1.0. I want to enable TLS1.2. We are using Java 7 and the connector snippet for the server.xml is as below,
<Connector SSLEnabled="true" acceptCount="100" clientAuth="true" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2024" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"
keystoreFile="/cert/fic_rest.jks" keystorePass="********"
truststoreFile="/cert/fic_rest.jks" server="UnIdentified" compression="on" compressionMinSize="2048"
noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css"
/>
<!-- Define an AJP 1.3 Connector on port 2023 -->
<Connector port="2023" protocol="AJP/1.3" redirectPort="2022" />
<Connector acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="true" connectionTimeout="300000"
socket.soLingerOn="false" maxKeepAliveRequests="1000" maxThreads="50" port="2020" protocol="org.apache.coyote.http11.Http11NioProtocol" server="UnIdentified"
/>
Would changing "sslProtocol="TLS"
to "sslProtocol="TLSv1.2"
is all that is enough?
We are using tomcat 7.0.82
The sslProtocol
configuration protocol does next to nothing: it only specifies which SSLContext
to use, but from the perspective of a server this does not restrict anything. Any version of SSLContext
sets the default SSL server protocols to the entire list of supported protocols (cf. source code).
Therefore you need to set sslEnabledProtocols="TLSv1.2"
(cf. Tomcat documentation) to restrict the accepted protocol versions to only TLS 1.2. You can then test your configuration using curl
.
However, if usage of TLS versions less then 1.2 is a security constraint for the whole system (cf. this question) by adding the following line to $JRE_HOME/lib/security/java.security
:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1
Warning: this will influence all TLS connections in Java, even those with old databases.