Dear all, I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3 works, but I want to specify the allowed cipher suites as well.
The relevant parts of server.xml are:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
...
<Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
ion">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.3">
<Certificate
certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas
e-8080/conf/keystore-pkcs12.jks"
certificateKeystorePassword="mypassword"
certificateKeystoreAlias="myalias" />
</SSLHostConfig>
</Connector>
This configuration works! When I connect to the server, Firefox says under
technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key,
TLS 1.3).
But when I try to specify the cipher suites like: <SSLHostConfig
protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
Tomcat throws an exception and TLS does not work! Errror code in the browser
is: SSL_ERROR_RX_RECORD_TOO_LONG
That is the most simplified version, first I tried these three:
ciphers=""TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result.
I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat
works with openSSL and TLSv1.3 as shown above.
The relevant part of the catalina log is:
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.7.0].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
07-Aug-2019 13:41:38.198 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1c 28 May 2019]
07-Aug-2019 13:41:38.370 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["http-nio-8080"]
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
["https-openssl-apr-8181"] connector has been configured to support
negotiation to h2] via ALPN
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG
[main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
initialisieren des SSL Contexts java.lang.Exception: Unable to configure
permitted SSL ciphers (error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2
43)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403
)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint
.java:1124)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.
java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
33)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105
9)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Can anybody help?
Kind regards,
Jessica
smime.p7s
Description: S/MIME cryptographic signature
