RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Chris -- Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg. Regards, --ccs -Original Message- From: Christopher Schultz Sent: Thursday, August 10, 2023 2:04 AM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: > I've looked for the answer to this online and maybe I didn't read closely > enough. > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the > same TLS version is defined in my server.xml in my SSLHostConfig: > sslProtocol="TLS" > protocols="TLSv1.2" > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat > 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Hi all, Spying on this thread and have a little confusion. For me tomcat is running on a windows server and I wasn't able to find a Catalina.sh. I do have a Catalina.bat thoughdoes anyone know if this is supposed to be the equivalent to the .sh file , just for Windows? Thanks, Brandie Regeneron - Internal Use Only -Original Message- From: SCHWING, CHUCK Sent: Thursday, August 10, 2023 4:59 AM To: Tomcat Users List Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options EXTERNAL MESSAGE _ EXTERNAL MESSAGE Chris -- Many thanks for the clarification. I missed the "client" in the jdk.tls.client.protocols jvm arg. Regards, --ccs -Original Message- From: Christopher Schultz Sent: Thursday, August 10, 2023 2:04 AM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options Chuck, On 8/9/23 13:58, SCHWING, CHUCK wrote: > I've looked for the answer to this online and maybe I didn't read closely > enough. > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the > same TLS version is defined in my server.xml in my SSLHostConfig: > sslProtocol="TLS" > protocols="TLSv1.2" > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > We need to migrate to TLS1.3 and we're wondering how best to configure Tomcat > 10 so support TLS1.2 and TLS1.3 while we're migrating. The system property you have shown above does not affect the behavior of Tomcat at all. This system property affects Java's built-in TLS *client* when making /outgoing/ connections. If you specify "TLSv1.2" and no other protocols, then you will not enable TLSv1.3. You should specify: protocols="TLSv1.3, TLSv1.2" in your in order to enable TLSv1.3 and also accept TLSv1.2. Note that for TLSv1.3 there are other requirements, specifically a JVM with support if using JSSE or an OpenSSL implementation with support if using OpenSSL. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org This e-mail and any attachment hereto, is intended only for use by the addressee(s) named above and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, any dissemination, distribution or copying of this email, or any attachment hereto, is strictly prohibited. If you receive this email in error please immediately notify me by return electronic mail and permanently delete this email and any attachment hereto, any copy of this e-mail and of any such attachment, and any printout thereof. Finally, please note that only authorized representatives of Regeneron Pharmaceuticals, Inc. have the power and authority to enter into business dealings with any third party. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs server.xml options
Hello Bradle, > -Ursprüngliche Nachricht- > Von: Brandie Nickey-External > Gesendet: Donnerstag, 10. August 2023 18:20 > An: Tomcat Users List > Betreff: RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs > server.xml > options > > Hi all, > > Spying on this thread and have a little confusion. For me tomcat is running > on a > windows server and I wasn't able to find a Catalina.sh. I do have a > Catalina.bat > thoughdoes anyone know if this is supposed to be the equivalent to the .sh > file , just for Windows? > > Thanks, > Brandie In general, yes. Just replace .sh with .bat on windows and you are good to go. > > Regeneron - Internal Use Only > > -Original Message- > From: SCHWING, CHUCK > Sent: Thursday, August 10, 2023 4:59 AM > To: Tomcat Users List > Subject: [External] RE: Tomcat 10.1 -- Precedence of catalina.sh jvm Options > vs > server.xml options > > EXTERNAL MESSAGE > > _ > > > > > EXTERNAL MESSAGE > > > > > Chris -- > > Many thanks for the clarification. I missed the "client" in the > jdk.tls.client.protocols jvm arg. > > Regards, > --ccs > > -Original Message- > From: Christopher Schultz > Sent: Thursday, August 10, 2023 2:04 AM > To: users@tomcat.apache.org > Subject: Re: Tomcat 10.1 -- Precedence of catalina.sh jvm Options vs > server.xml > options > > Chuck, > > On 8/9/23 13:58, SCHWING, CHUCK wrote: > > I've looked for the answer to this online and maybe I didn't read closely > enough. > > I'm running tomcat 10.1 with JDK17.0.6 and have defined a jvm startup option > of "-Djdk.tls.client.protocols=TLSv1.2" in my copy of catalina.sh and the same > TLS version is defined in my server.xml in my SSLHostConfig: > > sslProtocol="TLS" > > protocols="TLSv1.2" > > > > My question is: What's the precedence in play? Does catalina.sh override > server.xml or is it the other way around? > > > > We need to migrate to TLS1.3 and we're wondering how best to configure > Tomcat 10 so support TLS1.2 and TLS1.3 while we're migrating. > > The system property you have shown above does not affect the behavior of > Tomcat at all. This system property affects Java's built-in TLS *client* when > making /outgoing/ connections. > > If you specify "TLSv1.2" and no other protocols, then you will not enable > TLSv1.3. You should specify: > >protocols="TLSv1.3, TLSv1.2" > > in your in order to enable TLSv1.3 and also accept TLSv1.2. > Note that for TLSv1.3 there are other requirements, specifically a JVM with > support if using JSSE or an OpenSSL implementation with support if using > OpenSSL. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > This e-mail and any attachment hereto, is intended only for use by the > addressee(s) named above and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail, > any dissemination, distribution or copying of this email, or any attachment > hereto, is strictly prohibited. If you receive this email in error please > immediately notify me by return electronic mail and permanently delete this > email and any attachment hereto, any copy of this e-mail and of any such > attachment, and any printout thereof. Finally, please note that only > authorized > representatives of Regeneron Pharmaceuticals, Inc. have the power and > authority to enter into business dealings with any third party. > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
