Bug 57102 - Cannot Specify sslEnabledProtocols
Summary: Cannot Specify sslEnabledProtocols
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 6.0.41
Hardware: PC Linux
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-16 22:04 UTC by Jason Schwanz
Modified: 2014-10-19 21:56 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Schwanz 2014-10-16 22:04:20 UTC
I'm attempting to disable SSLv3 by specifying the sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" in my HTTP connector, but it is not disabling it. Looking at catalina.out I see this logged warning:

WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslEnabledProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.

The host is running tomcat 6.0.41 with Java 7u65.
Comment 1 Mark Thomas 2014-10-16 22:36:00 UTC
Bugzilla is not a support forum. Please use the users mailing list.
Comment 2 Mark Thomas 2014-10-17 10:13:32 UTC
This issue has been confirmed. It affects the HTTPS NIO connector.
Comment 3 Mark Thomas 2014-10-17 11:16:08 UTC
Fix proposed for 6.0.x
Comment 4 Konstantin Kolinko 2014-10-17 11:25:11 UTC
How about protocols="TLSv1,TLSv1.1,TLSv1.2" ?

See bug 54691 for original introduction of sslEnabledProtocols in Tomcat 6.
Comment 5 Konstantin Kolinko 2014-10-17 12:16:42 UTC
(In reply to Konstantin Kolinko from comment #4)
> How about protocols="TLSv1,TLSv1.1,TLSv1.2" ?
> 
> See bug 54691 for original introduction of sslEnabledProtocols in Tomcat 6.

I see now, r1521514 was wrong as there was no "protocols" setting for Nio in Tomcat 6. Bio uses "attributes.get("protocols")" in JSSESocketFactory.initServerSocket(), but Nio has different code with NioEndpoint.createSSLEngine().

Voted for the patch.
Comment 6 Christopher Schultz 2014-10-17 13:43:02 UTC
Whoops, sorry for the oversight on the NIO connector.

It looks like markt applied this patch. Is this then FIXED?
Comment 7 Mark Thomas 2014-10-17 14:02:01 UTC
This is fixed in 6.0.x and will be included in 6.0.x onwards.
Comment 8 Konstantin Kolinko 2014-10-19 21:56:23 UTC
> This is fixed in 6.0.x and will be included in 6.0.x onwards.

in 6.0.43 onwards.