Enabling or Disabling TLS Versions

 To allow (or restrict) specific TLS protocols for the application to use:

  1. Stop Cascade CMS.
  2. Edit the file tomcat/conf/server.xml.
  3. Locate your existing SSL/TLS Connector.
  4. Add the sslEnabledProtocols attribute along with TLS protocols that you wish to allow/restrict. For example:
    • sslEnabledProtocols="TLSv1.2" - to force TLSv1.2 only
    • sslEnabledProtocols="TLSv1.2+TLSv1.3" - to allow both TLSv1.2 and TLSv1.3
  5. Save the file
  6. Start Cascade CMS

A sample Connector that allows for TLSv1.2 and TLSv1.3 can be seen below:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
     keystorePass="keystorePass"
     keystoreFile="pathToKeystore"
     maxThreads="256"
     maxPostSize="40000000"
     maxParameterCount="1000000"
     connectionTimeout="20000"
     maxSwallowSize="-1"
     SSLEnabled="true"
     sslEnabledProtocols="TLSv1.2+TLSv1.3"
     scheme="https"
     secure="true"
     clientAuth="false"
     sslProtocol="TLS"
     compression="on"
     compressionMinSize="1024"
     noCompressionUserAgents="gozilla, traviata"
     compressibleMimeType="application/javascript,application/json,application/rss+xml,application/vnd.ms-fontobject,application/font-sfnt,application/font-woff,font/opentype,font/woff2,application/x-javascript,application/xhtml+xml,application/xml,font/eot,font/opentype,image/svg+xml,image/vnd.microsoft.icon,image/x-icon,text/css,text/html,text/javascript,text/plain,text/xml" />

See the official Apache Tomcat documentation for additional information. 

Tip: Be sure to document any changes you make to the server.xml file so that you can put them back in place after any future upgrades to the application.