Enable TLS 1.2 only in apache-tomcat-9 and Java 8

tomcat 8 enable tls 1.2 only
how to enable tls 1.2 on linux server
tomcat enable https
tomcat tls termination
enable https for tomcat 7
tomcat 8 disable weak ciphers
tomcat ciphers
tomcat 9 java lang classnotfoundexception org apache coyote http11 http11protocol

I have deployed my web application in Apache Tomcat 9.x.x and I have two options for Java

  • Openjdk version 1.8.x
  • Oracle Java 1.8.x

I need to allow TLS 1.2 only.

Please help guide me to achieve this.

I have tried to follow the following links(Not sure if they are outdated).

But https://www.ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.

how to enable TLS v1.2 in Apache tomcat 8 , I am using Java 8

How do I disable SSLv3 in tomcat?

Does Tomcat support TLS v1.2? (The two steps mentioned by oraclesoon doesn't seem to work)

How do I disable SSLv3 support in Apache Tomcat?

Also HOW TO -- Disable weak ciphers in Tomcat 7 & 8 says sslProtocol is no longer used in java 8

You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLVerifyClient="optional" SSLProtocol="TLSv1.2"/>

Please refer this configuration guide and try that out.

You have to configure the Connector in the $CATALINA_BASE/conf/server.xml file. An example of an APR configuration is: <!-- Define a SSL  For security reasons, it is strongly recommended to allow HTTP communication solely over TLS 1.2 (Transport Layer Security). This recommendation applies to ICG releases prior to version 1.03.120. As of ICG version 1.03.120, TLS 1.2 will be enabled by default. To enable TLS 1.2 only, proceed as follows: Open the Tomcat server configuration file

I use tomcat 9.0.14 and JSSE. it works fine. (using TLSV1.1 and TLSV1.2)

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig protocols="TLSv1.1,TLSv1.2">     
    <Certificate certificateKeystoreFile="conf/keystore.jks" 
                     type="RSA" />

See: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

and AAA · 8) Security Manager · 9) JNDI Resources · 10) JDBC DataSources Most SSL-enabled web servers do not request Client Authentication. on any requests destined for the Tomcat container only after decrypting those requests. Check the documentation for your version of Java for details on  Enable TLS 1.2 in Apache. To enable TLS 1.2 in Apache you need to edit the virtualhost sections for your domain in SSL configuration and add the below SSLProtocol as shown below. This will only enable the TLS 1.2 for your Apache web server disable for all older protocols. SSLProtocol -all +TLSv1.2 Your Apache virtualhost will look like below.

If you need to check on a request by request basis to ensure that someone hasn't misconfigured your server, you can add a ContainerRequestFilter and then inside the filter(RequestContext requestContext) method insert a check that verifies that the TLS connection adhere's to your requirement.

   throw new IllegalStateException("Invalid TLS version");

This example is from Tomcat 8, but I suspect an option may be available for other containers.

Solution. To specify truststore and explicit connection security of TLS 1.2 from TAC to the TAC backend database, and force TLS 1.2 for the Java  We also recommend moving your server to use TLS versions and specifically to TLS 1.2. This tutorial will help you to enable TLS 1.2 and TLS 1.3 in mod_ssl and Apache servers. Install and Use Let’s Encrypt SSL with Apache; Prerequisites. To enable TLS 1.3 you must have Apache version 2.4.38 or higher on your system.

JSP 2.3 Javadocs · EL 3.0 Javadocs · WebSocket 1.1 Javadocs · JK 1.2 Documentation Tomcat configuration should not be the only line of defense. Enabling the security manager changes the defaults for the following settings: and Java 8, Forward Secrecy can be achieved by specifying only TLS  Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are technologies which allow web browsers and web servers to communicate over a secured connection. This means that the data being sent is encrypted by one side, transmitted, then decrypted by the other side before processing. This is a two-way process, meaning

One of the most important developments in JavaEE 8 will be support for Let's have a look at how to configure Tomcat 9 to support. We can use ALPN which is a TLS extension and in the handshake, you send an Only what's new is included, so you won't spend time reading what you already know, only what you don't. If a 1.2 client connects to a server running a lower version, the client will adjust. If a lower client connects to a server running 1.2, the server will adjust. Because of backwards-compatibility, clients supporting TLS 1.2 will receive improved communications and older clients will continue to function.

Changing the SSL Protocols and Cipher Suites for IIS involves making changes to the registry. It is not direct or TLS1.2 only. Not compatible Apache Tomcat Using Java Secure Socket Extension (JSSE):. Apache Tomcat  Transport Layer Security (TLS) is a network protocol that provides confidentiality, authentication, and integrity protection. There are currently 4 variants in use: SSL v3 [1], TLS v1.0 [2], TLS v1.1[3], TLS v1.2[4] (protocol will be used to refer to the variant in this context). SunJSSE provider in JDK 7/8 support all 4 protocols.

  • Using mkyong.com/tomcat/…, I have configured <<<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.2" keystoreFile="/opt/apache-tomcat-9.0.10/keystoreTomcat" keystorePass="ks1234" allowTrace="true" >>
  • Anyway I don't see a property called sslEnabledProtocols in the documentation.
  • As mentioned in the Question, ssllabs.com/ssltest/analyze.html?d=<< my public IP >> says : TLS 1.1 & TLS 1.0 are still enabled.
  • Change your SSLProtocol="TLSv1.2" and check that again.
  • I shall do that. But there is already one sslProtocol="SSL" as found in many documents. Are these attributes of connector case sensitive. Shall I remove sslProtocol ?