Re: [OT] TLSv1.3 in TC8.5 + Azul Java 8
Am 06.08.2019 um 18:37 schrieb George Stanchev: So it seems to work. For whoever is interested to try, the openjsse comes prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols": sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3" Also not sure if I had to but also added the 1.3 ciphers under ciphers attribute: ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256," Concerning TLS 1.3 support, one can also use OpenJSSE with other Java 8 based builds of OpenJDK, eg. RedHat's build or Adopt. To enable OpenJSSE with those, you can eg. (tried with TC9, should work for TC 8.5 as well): - Include the openjsse jar into your CLASSPATH - Add -Djava.security.properties=${CATALINA_BASE}/conf/java.security to your CATALINA_OPTS - Put the following line into the new file ${CATALINA_BASE}/conf/java.security: security.provider.4=org.openjsse.net.ssl.OpenJSSE The number 4 in that line is taken from the file java.security installed with Java 8. It should be jre/lib/security/java.security and the line your are looking (and that gets overwritten by the above) for is security.provider.4=com.sun.net.ssl.internal.ssl.Provider The number "4" can vary and must be adjusted accordingly above. That should be enough to enable TLS 1.3. If you haven't explicitly set protocols or ciphers in server.xml, there's no need to set them for TLS 1.3. You can check the TLS version you clients use by adding the followoing column to your AccessLogValve pattern: %{org.apache.tomcat.util.net.secure_protocol_version}r For TLS 1.3 the value will be "TLSv1.3". Note that to enable HTTP/2 there is a small TC patch needed I am working on. That is due to the simplistic ALPN detection we currently use in TC, which is simply checking the Java version number, not effective APN support in JSSE. I am getting some socket warnings though [1]. Anyone knows if those are benign? It seems to me, that you have taken those warnings from the output you get, when enable Java TLS debugging using -Djavax.net.debug=all or similar. I can see those warninhgs as well, but I do also get them when using plain Java 11. So they are not a backport artefact. Regards, Rainer [1] ERROR 2019-08-02 13:25:31,425 [SYSERR] -- [] javax.net.ssl|DEBUG|01|main|2019-08-02 13:24:51.000 MDT|SSLCipher.java:436|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.228 MDT|SSLSocketImpl.java:473|duplex close of SSLSocket javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed ( "throwable" : { java.net.SocketException: Socket is not connected at java.net.Socket.shutdownOutput(Socket.java:1553) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233) at org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561) at org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276) at java.lang.System$2.invokeFinalize(System.java:1270) at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102) at java.lang.ref.Finalizer.access$100(Finalizer.java:34) at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)} ) javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:473|duplex close of SSLSocket javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed ( "throwable" : { java.net.SocketException: Socket is not connected at java.net.Socket.shutdownOutput(Socket.java:1553) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233) at org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561) at org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276) at java.lang.System$2.invokeFinalize(System.java:1270) at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102) at java.lang.ref.Finalizer.access$100(Finalizer.java:34) at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)} ) javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension ( "unknown extension (13,172)": { } ) javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension ( "unknown extension (22)": { } )
RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8
So it seems to work. For whoever is interested to try, the openjsse comes prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols": sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3" Also not sure if I had to but also added the 1.3 ciphers under ciphers attribute: ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256," I am getting some socket warnings though [1]. Anyone knows if those are benign? George [1] ERROR 2019-08-02 13:25:31,425 [SYSERR] -- [] javax.net.ssl|DEBUG|01|main|2019-08-02 13:24:51.000 MDT|SSLCipher.java:436|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472 javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.228 MDT|SSLSocketImpl.java:473|duplex close of SSLSocket javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed ( "throwable" : { java.net.SocketException: Socket is not connected at java.net.Socket.shutdownOutput(Socket.java:1553) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233) at org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561) at org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276) at java.lang.System$2.invokeFinalize(System.java:1270) at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102) at java.lang.ref.Finalizer.access$100(Finalizer.java:34) at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)} ) javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:473|duplex close of SSLSocket javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed ( "throwable" : { java.net.SocketException: Socket is not connected at java.net.Socket.shutdownOutput(Socket.java:1553) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233) at org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561) at org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479) at org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276) at java.lang.System$2.invokeFinalize(System.java:1270) at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102) at java.lang.ref.Finalizer.access$100(Finalizer.java:34) at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)} ) javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension ( "unknown extension (13,172)": { } ) javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension ( "unknown extension (22)": { } ) javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension ( "unknown extension (49)": { } ) javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169 MDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by the underlying providers javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169 MDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by the underlying providers - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8
-Original Message- From: Christopher Schultz > "things to look into when I retire and my house is totally clean and > my kids are finally out of the house" so of course, I'll never get around to > it. +1 :-) -- Cris Berneburg CACI Lead Software Engineer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8
Chris, We have done several product releases on Azul, also running our SaaS instances without any issues. Granted, we're Windows-only product but I know other products within my company that switched to it from Oracle's Java that have not had any issues. When Oracle changed its license agreement for Java last year we were given two vendors that are allowed to be used - Azul and AdoptOpenJDK. Azul so far has been more consistent and timely in its releases where we found AOJ somewhat lagging (they had issues with certificates, file signatures and DLL properties identifying the vendor in the past) . We do use AOJ for Java+OpenJ9 VM distros though... George -Original Message- From: Christopher Schultz Sent: Thursday, August 01, 2019 5:48 PM To: users@tomcat.apache.org Subject: Re: [OT] TLSv1.3 in TC8.5 + Azul Java 8 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 8/1/19 16:42, George Stanchev wrote: > As of recently Azul has backported the JSSE from Java 11 into Java > 8 [1] and it is currently offering TLSv1.3 support in its Java 8 > distro [2]. Good for them. It's too bad Oracle is so conservative with its policies. I have Azul on my list of "things to look into when I retire and my house is totally clean and my kids are finally out of the house" so of course, I'll never get around to it. I'm curious about your (and others') experiences with it. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeiwACgkQHPApP6U8 pFipBA//fOTHrORxRD5OZqfigFAf7cACtsoYuJlAvh255BiJfybNg0pnBlDoIROE DCLt2Q2QQcBWUG/eeBIopdv7xeEaVaLNMl6on8CHqSdwetL9RQle1MWBG7ECexT5 ekNdspdBXb8FHatmyxfeuP80fzhJSJka+w44FdIl6tgR4WhlUnNuiYgjx2YGrycu BFyGJEmanlm96JUoAMfUqzPYd7+dxvhFR3reFo5XMq7efw9EFy31IONYRpKgIYnL PkYdZigGrHEtDS1DavasDTdgTC61uncaSDcbR68KMDPfgjC7NYk2v3/SZH6A0HBN rxWt7ADGhuioTf62e6LBxd14BveHJjtbpOsfDbKk/wIGH0U3W39MOsixgPVjJl+Y 0Tza6h3aEF8tRxTrEpQPvk4jvqDQ7uwBPvgerXfEuarECoj5zuTllzvCjPjxe9h5 vdzZNi5BwBNr3rXLRFT4nYuLMPP7bJURNZUbSxrwqVpepVDPkWWZ2Y9AGr4zT0Ld S967tDXrCsgCy8Gh5MnLcUIe9Fso8tslLMueTy227amY7lK5SvKpFeLMp9sAGPqc NAsoCYsv6V6jpM4kbDSw5QzQKqsF/dKgJgnEGqEORDbwTOUwQeV6AYbsvyFovaT0 EkVfc8A8KLf74qD3Y6Hz0AZuACVVUac3H9D2ctDPfUUca+ndYOo= =lseS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] TLSv1.3 in TC8.5 + Azul Java 8
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 George, On 8/1/19 16:42, George Stanchev wrote: > As of recently Azul has backported the JSSE from Java 11 into Java > 8 [1] and it is currently offering TLSv1.3 support in its Java 8 > distro [2]. Good for them. It's too bad Oracle is so conservative with its policies. I have Azul on my list of "things to look into when I retire and my house is totally clean and my kids are finally out of the house" so of course, I'll never get around to it. I'm curious about your (and others') experiences with it. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeiwACgkQHPApP6U8 pFipBA//fOTHrORxRD5OZqfigFAf7cACtsoYuJlAvh255BiJfybNg0pnBlDoIROE DCLt2Q2QQcBWUG/eeBIopdv7xeEaVaLNMl6on8CHqSdwetL9RQle1MWBG7ECexT5 ekNdspdBXb8FHatmyxfeuP80fzhJSJka+w44FdIl6tgR4WhlUnNuiYgjx2YGrycu BFyGJEmanlm96JUoAMfUqzPYd7+dxvhFR3reFo5XMq7efw9EFy31IONYRpKgIYnL PkYdZigGrHEtDS1DavasDTdgTC61uncaSDcbR68KMDPfgjC7NYk2v3/SZH6A0HBN rxWt7ADGhuioTf62e6LBxd14BveHJjtbpOsfDbKk/wIGH0U3W39MOsixgPVjJl+Y 0Tza6h3aEF8tRxTrEpQPvk4jvqDQ7uwBPvgerXfEuarECoj5zuTllzvCjPjxe9h5 vdzZNi5BwBNr3rXLRFT4nYuLMPP7bJURNZUbSxrwqVpepVDPkWWZ2Y9AGr4zT0Ld S967tDXrCsgCy8Gh5MnLcUIe9Fso8tslLMueTy227amY7lK5SvKpFeLMp9sAGPqc NAsoCYsv6V6jpM4kbDSw5QzQKqsF/dKgJgnEGqEORDbwTOUwQeV6AYbsvyFovaT0 EkVfc8A8KLf74qD3Y6Hz0AZuACVVUac3H9D2ctDPfUUca+ndYOo= =lseS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org