Dear all, I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3 works, but I want to specify the allowed cipher suites as well.
The relevant parts of server.xml are: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> ... <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat ion"> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> <SSLHostConfig protocols="TLSv1.3"> <Certificate certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas e-8080/conf/keystore-pkcs12.jks" certificateKeystorePassword="mypassword" certificateKeystoreAlias="myalias" /> </SSLHostConfig> </Connector> This configuration works! When I connect to the server, Firefox says under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key, TLS 1.3). But when I try to specify the cipher suites like: <SSLHostConfig protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256"> Tomcat throws an exception and TLS does not work! Errror code in the browser is: SSL_ERROR_RX_RECORD_TOO_LONG That is the most simplified version, first I tried these three: ciphers=""TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result. I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat works with openSSL and TLSv1.3 as shown above. The relevant part of the catalina log is: 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.7.0]. 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 07-Aug-2019 13:41:38.198 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1c 28 May 2019] 07-Aug-2019 13:41:38.370 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initialisiere ProtocolHandler["http-nio-8080"] 07-Aug-2019 13:41:38.417 INFORMATION [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8181"] connector has been configured to support negotiation to h2] via ALPN 07-Aug-2019 13:41:38.417 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initialisiere ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim initialisieren des SSL Contexts java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2 43) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247 ) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403 ) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint .java:1124) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol. java:74) at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 33) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105 9) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:584) at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Can anybody help? Kind regards, Jessica
smime.p7s
Description: S/MIME cryptographic signature