In webapps/docs/security-howto.xml the following documentation is provided for the sslEnabledProtocols option. 304 <p>The <strong>sslEnabledProtocols</strong> attribute determines which 305 versions of the SSL/TLS protocol are used. Since the POODLE attack in 306 2014, all SSL protocols are considered unsafe and a secure setting for 307 this attribute in a standalone Tomcat setup might be 308 <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p> This documentation also includes an example of setting this option. When this is syntax is used you get the following warning text printed into the log. WARN - The protocol [TLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing. Inside org/apache/tomcat/util/net/SSLHostConfig.java there is a comment describing the expected format for this options and how its parsed. 441 // List of protocol names, separated by ",", "+" or "-". 442 // Semantics is adding ("+") or removing ("-") from left 443 // to right, starting with an empty protocol set. 444 // Tokens are individual protocol names or "all" for a 445 // default set of supported protocols. 446 // Separator "," is only kept for compatibility and has the 447 // same semantics as "+", except that it warns about a potentially 448 // missing "+" or "-". I've never written a patch before but I'm keen to assist if I can get some guidance.
Here is the original patch that changed this for version 8. https://svn.apache.org/viewvc?view=revision&revision=1681779 It did include some documentation updates but not to sslEnabledProtocols.
After a review, this section of the security howto doc is outdated and it can be removed. Fixed in: - trunk for 9.0.2 onwards - 8.5.x for 8.5.24 onwards - 8.0.x for 8.0.48 onwards - 7.0.x for 7.0.83 onwards (thanks to Mark for the cut and paste :) )