Support for TLS 1.0 is considered a weak protocol and we urge people to move to TLS1.1 and above. The following ssl protocols have TLS 1.0 removed to comply with this.
TLS Risks among other weaknesses, TLS 1.0 is vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling TLS 1.0 support on your server is sufficient to mitigate this issue.
Tomcat >=7
<Connector...
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1.1,TLSv1.2" />
Tomcat 5 and 6
Note: Depending on your version of Tomcat 5 and Version 6 the SSLEnabled="true" might not work as it was added mid-release.
<Connector...
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols = "TLSv1.1,TLSv1.2" />
**On RHEL5-based distros, the following applies to Tomcat 6 versions prior to Tomcat 6.0.38 **
Note that TLSv1.1,TLSv1.2 is supported by Java 7, not Java 6. Adding these directives to a server running Java 6 is harmless, but won't enable TLSv1.1 & TLSv1.2.
<Connector...
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocols = "TLSv1.1,TLSv1.2" />
Comments
0 comments
Article is closed for comments.