Search code examples
tomcat9

tomcat 9.2 not picking up config for disabling tls 1.0

I am trying to disable TLS 1.0 in apache tomcat 9.0.2 , however the property is never taken

below is the error

20-Feb-2019 22:51:40.913 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector/SSLHostConfig/Certificate} Setting property 'sslProtocol' to 'TLSv1.1,TLSv1.2' did not find a matching property. 20-Feb-2019 22:51:40.914 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector/SSLHostConfig/Certificate} Setting property 'sslEnabledProtocols' to 'TLSv1.1,TLSv1.2' did not find a matching property.

Server.XML configuration file 

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/opt/certs/newtomcatcert/hello.gi.com.jks"
             certificateKeystorePassword="########*"
                         type="RSA" sslProtocol="TLSv1.1,TLSv1.2"
           sslEnabledProtocols="TLSv1.1,TLSv1.2" />
        </SSLHostConfig>
    </Connector>
    -->

nmap result

Starting Nmap 5.51 ( http://nmap.org ) at 2019-03-04 19:54 EST Nmap scan report for hello.gi.com (10.10.100.71) Host is up (0.0013s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.0 | Ciphers (4) | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Compressors (3) | uncompressed | uncompressed | uncompressed | TLSv1.1 | Ciphers (4) | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Compressors (3) | uncompressed | uncompressed |_ uncompressed MAC Address: 00:50:56:A4:E0:AE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.29 seconds

Solution

  • In the end it turned out to be a syntax 

        <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig protocols="TLSv1.1,TLSv1.2">
            <Certificate certificateKeystoreFile="/opt/certs/newtomcatcert/hello.gi.com.jks"
             certificateKeystorePassword="########*"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>