Disabling TLS 1.0 and 1.1 on Tomcat

There are numerous security vulnerabilities in the SSL/TLS protocols prior to TLS 1.2 and we need to ensure that our systems are only running the latest versions of these essential pieces of security software. To make sure your application is configured to require these latest versions, use the following procedure. In order to support TLS 1.2 or higher, your Linux system must have a minimum version of RHEL7: OpenSSL 1.0.2k or RHEL6: Openssl 1.0.1e.  

Process

Use a text editor to change the following lines in the SSL configuration for the Tomcat application server, the path could be several places, depending on or  for the file the version of Tomcat you have installed. Try looking in /etc/tomcat/, /usr/share/tomcat/conf /opt/tomcat/conf server.xml.

  • Look for the connector port you wish to disable TSL 1.0 and 1.1 on
  • Change the  line to <SSLHostConfig> <SSLHostConfig protocols =” TLSv1.2”>
  • Then restart tomcat by running sudo service tomcat restart

SSL Protocol Support

Troubleshooting

This could affect connectivity between your web application and some older browsers that don't support this version of TLS. Try troubleshooting with a known good client, to see if you can replicate the issue. If you have totally broken access to your application, please open a ticket with ITAC and we can help track down the possible cause of the issue.