Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following constants (from jni/java/org/apache/tomcat/jni/SSL.java) public static final int SSL_OP_NO_TLSv1_1 = 0x08000000; public static final int SSL_OP_NO_TLSv1_2 = 0x10000000; that get passed into OpenSSl's SSL_CTX_set_options (see jni/native/src/sslcontext.c). OpenSSL however defines these constants out-of-order (from ssl/ssl.h): #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L The result is that defining "SSL_OP_NO_TLSv1_1" instead disables support for TLS 1.2 (and vice-versa).
Java code of Tomcat Native is maintained in Tomcat proper. I am moving the bug there.
Fixed in trunk and 8.0.x (for 8.0.19 onwards).
(In reply to Jeff Pinner from comment #0) > Bug 53952 added support for TLS 1.1 and TLS 1.2 and added the following > constants (from jni/java/org/apache/tomcat/jni/SSL.java) > > public static final int SSL_OP_NO_TLSv1_1 = 0x08000000; > public static final int SSL_OP_NO_TLSv1_2 = 0x10000000; For the record, these constants were added in r1632577 which slightly pre-dates the commits directly-related to bug #53952. Also note that these constants were never back-ported to Tomcat 7.