--- webapps/docs/config/http.xml (revision 1392879) +++ webapps/docs/config/http.xml (working copy) @@ -1190,9 +1190,10 @@

Protocol which may be used for communicating with clients. The default - value is all, which is equivalent to SSLv3+TLSv1 - with other acceptable values being SSLv2, - SSLv3, TLSv1 and any combination of the three + value is all, which is equivalent to + SSLv3+TLSv1+TLSv1.1+TLSv1.2 with other acceptable values being + SSLv2, SSLv3, TLSv1, TLSv1.1, + TLSv1.2 and any combination of the three protocols concatenated with a plus sign. Note that the protocol SSLv2 is inherently unsafe.

 --- webapps/docs/ssl-howto.xml (revision 1392879) +++ webapps/docs/ssl-howto.xml (working copy) @@ -369,7 +369,7 @@ scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/usr/local/ssl/server.crt" SSLCertificateKeyFile="/usr/local/ssl/server.pem" - SSLVerifyClient="optional" SSLProtocol="TLSv1"/> + SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

--- java/org/apache/tomcat/jni/SSLContext.java (revision 1392879) +++ java/org/apache/tomcat/jni/SSLContext.java (working copy) @@ -29,12 +29,13 @@ /** * Initialize new SSL context * @param pool The pool to use. - * @param protocol The SSL protocol to use. It can be one of: + * @param protocol The SSL protocol to use. It can be bitwise OR of the following: * 
      * SSL_PROTOCOL_SSLV2
      * SSL_PROTOCOL_SSLV3
-     * SSL_PROTOCOL_SSLV2 | SSL_PROTOCOL_SSLV3
      * SSL_PROTOCOL_TLSV1
+     * SSL_PROTOCOL_TLSV1_1
+     * SSL_PROTOCOL_TLSV1_2
      * SSL_PROTOCOL_ALL
      *
* @param mode SSL mode to use --- java/org/apache/tomcat/jni/SSL.java (revision 1392879) +++ java/org/apache/tomcat/jni/SSL.java (working copy) @@ -71,7 +71,9 @@ public static final int SSL_PROTOCOL_SSLV2 = (1<<0); public static final int SSL_PROTOCOL_SSLV3 = (1<<1); public static final int SSL_PROTOCOL_TLSV1 = (1<<2); - public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1); + public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3); + public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4); + public static final int SSL_PROTOCOL_ALL = (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2); /* * Define the SSL verify levels --- java/org/apache/tomcat/jni/socket/AprSocketContext.java (revision 1392879) +++ java/org/apache/tomcat/jni/socket/AprSocketContext.java (working copy) @@ -193,7 +193,7 @@ protected boolean useSendfile; - int sslProtocol = SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3; + int sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2 | SSL.SSL_PROTOCOL_TLSV1_1 | SSL.SSL_PROTOCOL_TLSV1 | SSL.SSL_PROTOCOL_SSLV3; /** * Max time spent in a callback ( will be longer for blocking ) @@ -314,6 +314,10 @@ sslProtocol = SSL.SSL_PROTOCOL_SSLV3; } else if ("TLSv1".equalsIgnoreCase(protocol)) { sslProtocol = SSL.SSL_PROTOCOL_TLSV1; + } else if ("TLSv1.1".equalsIgnoreCase(protocol)) { + sslProtocol = SSL.SSL_PROTOCOL_TLSV1_1; + } else if ("TLSv1.2".equalsIgnoreCase(protocol)) { + sslProtocol = SSL.SSL_PROTOCOL_TLSV1_2; } else if ("all".equalsIgnoreCase(protocol)) { sslProtocol = SSL.SSL_PROTOCOL_ALL; } --- java/org/apache/tomcat/util/net/AprEndpoint.java (revision 1392879) +++ java/org/apache/tomcat/util/net/AprEndpoint.java (working copy) @@ -515,6 +515,10 @@ value |= SSL.SSL_PROTOCOL_SSLV3; } else if ("TLSv1".equalsIgnoreCase(protocol)) { value |= SSL.SSL_PROTOCOL_TLSV1; + } else if ("TLSv1.1".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_1; + } else if ("TLSv1.2".equalsIgnoreCase(protocol)) { + value |= SSL.SSL_PROTOCOL_TLSV1_2; } else if ("all".equalsIgnoreCase(protocol)) { value |= SSL.SSL_PROTOCOL_ALL; } else {