Issues Disabling TLS 1.0 and 1.1 on Tomcat Server

I’m managing a website, and during a vulnerability scan, it’s showing that TLS 1.0 and 1.1 are still supported. However, I’m trying to disable these protocols to improve security.

I don’t have much knowledge about security, but I’ve tried several things (with help from ChatGPT), and nothing seems to be working.

Additional Information:

  • Server: Tomcat 8.5.100
  • Java Version: java 8

please help me.

Steps I’ve Taken to Solve This:

  1. Modified the server.xml file as follows:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" server="Server" />
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" 
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="/path" keystorePass="password"
           clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"  URIEncoding="UTF-8" 
               Ciphers="ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384,
         ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305,
         ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,
         ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384,
         ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256"
/>
  • Setting protocol="org.apache.coyote.http11.Http11Protocol" doesn’t seem to work.
  • I tried removing the ciphers attribute, but it didn’t help.
  • I also tried using the <SSLHostConfig> tag, but Tomcat failed to restart. I Checked the catalina.log and saw this error:
Multiple SSLHostConfig elements were provided for the host name [_default_]. Hostnames must be unique.
  1. java.security file
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, TLSv1, TLSv1.1, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
  1. Tested with the openssl command, and the session protocol is TLSv1.2

server.xml

Update your <Connector> configuration for the HTTPS connection as follows:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" 
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="/path" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" 
           sslEnabledProtocols="TLSv1.2" 
           ciphers="ECDHE-ECDSA-AES256-GCM-SHA384, 
                    ECDHE-RSA-AES256-GCM-SHA384, 
                    ECDHE-ECDSA-CHACHA20-POLY1305, 
                    ECDHE-RSA-CHACHA20-POLY1305, 
                    ECDHE-ECDSA-AES128-GCM-SHA256, 
                    ECDHE-RSA-AES128-GCM-SHA256, 
                    ECDHE-ECDSA-AES256-SHA384, 
                    ECDHE-RSA-AES256-SHA384, 
                    ECDHE-ECDSA-AES128-SHA256, 
                    ECDHE-RSA-AES128-SHA256" />

Ensure that your java.security file contains the following line to disable TLS 1.0 and TLS 1.1:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, TLSv1, TLSv1.1, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Restart Tomcat

After making these changes, restart your Tomcat server to apply the new settings.

Verify Configuration

You can verify the enabled protocols using the following OpenSSL command:

openssl s_client -connect yourdomain.com:443 -tls1