How to Configure SSL Protocols

Overview

This topic describes how to disable specific SSL protocols, such as TLS1 and/or TLS1.1, on Tomcat 8.

Tomcat uses two different implementations of SSL:

• The JSSE implementation that's provided as part of the Java runtime (since 1.4).
• The APR implementation, which uses the OpenSSL engine by default.

Configuration details depend on the implementation being used.

For these instructions, the APR implementation is required. Make sure the SSLEngine attribute is set to a value other than off. The default value is on. If you wish to specify another value, that value must be a valid engine name.

An example of APR configuration looks like the block below.

<Connector SSLCertificateFile="${catalina.base}/conf/localhost.crt" SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" SSLEnabled="true" clientAuth="false" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" SSLProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" />

Confirm disabled protocols

To confirm that TLS 1 has been disabled, run the following command:

openssl s_client -connect localhost:8443 -tls1

To confirm that TLS 1.1 has been disabled, run the following command:

openssl s_client -connect localhost:8443 -tls1_1

Both commands should return outputs of this kind:

[centos@ip-172-31-32-213 ~]$ openssl s_client -connect localhost:8443 -tls1_1
CONNECTED(00000003)
140677227890576:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert number 70
140677227890576:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.1
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1610388404
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
---

Validate that TLS 1.2 is still enabled

To validate that TLS 1.2 remains enabled, run the following command:

openssl s_client -connect localhost:8443 -tls1_2

The output of this command should return an SSL certificate, and look like this:

CONNECTED(00000003)
depth=0 C = GB
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB
verify error:num=10:certificate has expired
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
depth=0 C = GB
notAfter=Jun  8 14:27:19 2020 GMT
verify return:1
---
Certificate chain
0 s:/C=GB
i:/C=GB
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAdWgAwIBAgIJAMsPhhsmv/jdMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV
BAYTAkdCMB4XDTIwMDUwOTE0MjcxOVoXDTIwMDYwODE0MjcxOVowDTELMAkGA1UE
BhMCR0IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDkDA80QKNRRGW
yc7KJuOuq96j7LtJFcHFPDqU0F4gUAoHaim39YtqCQSWXwd4eCBFVv9v3UWX+cS0
dFOe8AT0eeAzeAxfzE1LC3yT2H+3ALq55/CLSQxIPrQ9U+uPY9+p/duJ7IF6bJJM
DXGZ1ua0u4UbNc1EB9pkN6jO/iCAvB2CLQC6Gyi6+8yCFzZ14HJmHtaEbYpey0BA
3cm2y4FQCU3AqfVJk0k4E21Go1y8Dj59gr/dsk2A3KQXB3SdKgVZyc6r4GctQavV
Do4SfXAAHvkHFXVBOQtNvukb+SNf+0XoRytVkzDoTZ6+lkmvVvryVQOrRT3gu5R/
X7dh4iJ/AgMBAAGjUDBOMB0GA1UdDgQWBBRyiAZrwV50C6AxabY6e55QIS1i6jAf
BgNVHSMEGDAWgBRyiAZrwV50C6AxabY6e55QIS1i6jAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQCdrlJbeDgmjpKaexXGU6tn2xQjtyz4xQGmHkcwjLzp
cW3Ixo+DwKKQaHDRhqyrKXGEU7Vbe1rXfX6ouF5z5vutLri4N0WHhZ12O8WI3SqX
kfQhIs+F8vY0a6Ua+aiiymXa05NA9P8xu5rO1R48xDvJ+lTGODYUGBQxLcr7eZ2M
UVFtPabu8b4h9UjcnxffU7MMS5Xu1Ag16aWw3CtEi/JOtkRvJr1RQ+wrn2uWJ/tv
VaNmNZ3J+HktX+IrRsTYcQiHu/JJ0A3m3TL1HB7jZVQ4BO54iXHhvZdAuXqCfhuL
f9YOWQ5g+H6ECOdwCvu+q1aGEV+yRzch1YA2Vah/2yJQ
-----END CERTIFICATE-----
subject=/C=GB
issuer=/C=GB
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1428 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8F50EEEAF9F8C0F4FF8F09FF20A3850FDAC04B9EE6FD3C18896E666022E200FE
Session-ID-ctx: 
Master-Key: 59B6EB386A6A5CB4BA533DE73BEE8A1AE21056F50C67392ACD83EEFCD920B39F295B4D40E00148B5271AB31DA46BECD9
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 96 2b 0d ce 60 78 29 a0-1e fd f0 d0 38 2a ef f4   .+..`x).....8*..
0010 - 62 ea ec 77 98 bf 2e 87-f8 aa bc ce 74 1f 12 47   b..w........t..G
0020 - ab b4 47 c4 3f 44 f5 07-76 2d 15 b9 14 a0 9f 52   ..G.?D..v-.....R
0030 - 39 b8 f0 d3 64 3a 66 d4-01 68 df b4 de b2 97 97   9...d:f..h......
0040 - a7 a5 f5 59 1f df 0b a4-2b ad 90 d7 15 67 c9 ba   ...Y....+....g..
0050 - ae 52 89 a9 24 dc a6 01-3c 44 dd 12 a5 02 79 1d   .R..$...<D....y.
0060 - d1 a9 12 88 f9 61 e4 bc-22 4c 6f 2d 1a 86 ce b8   .....a.."Lo-....
0070 - bb 34 56 65 34 3b e8 5e-7d 49 60 05 a6 45 92 30   .4Ve4;.^}I`..E.0
0080 - dc ca a1 0e 0c 94 a5 3d-bb 1a 83 cf ac 3f 89 83   .......=.....?..
0090 - 49 80 b8 3b 4e 77 f4 a4-7e 13 82 f4 e0 d9 9f c9   I..;Nw..~.......
00a0 - 3b 64 b1 a4 ec dc de e5-aa 7b 70 df 75 03 c4 4d   ;d.......{p.u..M
Start Time: 1610388589
Verify return code: 10 (certificate has expired)
---

For more information, read the Apache Tomcat 8 documentation.

Contact support

If you require additional assistance disabling or enabling SSL protocols, read Getting Support.