Am 06.08.2019 um 18:37 schrieb George Stanchev:
So it seems to work. For whoever is interested to try, the openjsse comes prebundled with Azul's
distro, all you need to do is run with -XX:+UseOpenJSSE command line option. On TC side, I added
"TLSv1.3" to "sslEnabledProtocols":
sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3"
Also not sure if I had to but also added the 1.3 ciphers under ciphers
attribute:
ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,...."
Concerning TLS 1.3 support, one can also use OpenJSSE with other Java 8
based builds of OpenJDK, eg. RedHat's build or Adopt. To enable OpenJSSE
with those, you can eg. (tried with TC9, should work for TC 8.5 as well):
- Include the openjsse jar into your CLASSPATH
- Add
-Djava.security.properties=${CATALINA_BASE}/conf/java.security
to your CATALINA_OPTS
- Put the following line into the new file
${CATALINA_BASE}/conf/java.security:
security.provider.4=org.openjsse.net.ssl.OpenJSSE
The number 4 in that line is taken from the file java.security installed
with Java 8. It should be jre/lib/security/java.security and the line
your are looking (and that gets overwritten by the above) for is
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
The number "4" can vary and must be adjusted accordingly above.
That should be enough to enable TLS 1.3. If you haven't explicitly set
protocols or ciphers in server.xml, there's no need to set them for TLS
1.3. You can check the TLS version you clients use by adding the
followoing column to your AccessLogValve pattern:
%{org.apache.tomcat.util.net.secure_protocol_version}r
For TLS 1.3 the value will be "TLSv1.3".
Note that to enable HTTP/2 there is a small TC patch needed I am working
on. That is due to the simplistic ALPN detection we currently use in TC,
which is simply checking the Java version number, not effective APN
support in JSSE.
I am getting some socket warnings though [1]. Anyone knows if those are benign?
It seems to me, that you have taken those warnings from the output you
get, when enable Java TLS debugging using -Djavax.net.debug=all or
similar. I can see those warninhgs as well, but I do also get them when
using plain Java 11. So they are not a backport artefact.
Regards,
Rainer
[1]
ERROR 2019-08-02 13:25:31,425 [SYSERR] -- []
javax.net.ssl|DEBUG|01|main|2019-08-02 13:24:51.000
MDT|SSLCipher.java:436|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate
2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.228
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}
)
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (13,172)": {
}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (22)": {
}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (49)": {
}
)
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169
MDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by
the underlying providers
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169
MDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by
the underlying providers
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
