https://issues.apache.org/bugzilla/show_bug.cgi?id=54690
Bug ID: 54690
Summary: HTTPS BIO/NIO connector does not enable TLS 1.1 and
TLS 1.2 by default
Product: Tomcat 7
Version: 7.0.37
Hardware: PC
OS: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: ognjen.d.blagoje...@gmail.com
Classification: Unclassified
As users already noted [1], default HTTPS BIO/NIO connector in Tomcat 7.0.37
enables only SSLv3 and TLSv1, while Tomcat 6.0.36 enables SSLv3, TLSv1, TLSv1.1
and TLSv1.2.
The reason for this change of behavior is that:
1. Tomcat 6, with default HTTPS connector configuration, does not call
socket.setEnabledProtocols, thus enabling SSLv3, TLSv1, TLSv1.1 and TLSv1.2,
while
2. Tomcat 7, with default HTTPS connector configuration, calls
socket.setEnabledProtocols(enabledProtocols), where enabledProtocols is
obtained with: context.getDefaultSSLParameters().getProtocols(). This, contrary
to not calling setEnabledProtocols at all, results in enabling only SSLv3 and
TLSv1.
I propose that Tomcat 7 mimics Tomcat 6 behavior, and if attribute
sslEnabledProtocols (in HTTPS connector in server.xml) is not set, then method
socket.setEnabledProtocols is not invoked.
Everything is tested with Oracle JDK 1.7.0_15.
More details on post on Tomcat dev list [2].
[1] https://twitter.com/ivanristic/status/303798231920431104
[2] http://www.mail-archive.com/dev@tomcat.apache.org/msg71522.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
