https://bz.apache.org/bugzilla/show_bug.cgi?id=65401
Bug ID: 65401
Summary: do no silently fail on
javax.net.ssl.SSLHandshakeException "No appropriate
protocol (protocol is disabled or cipher suites are
inappropriate)"
Product: Tomcat 9
Version: 9.0.43
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Upgrading from java8 to java11 to enable TLSv1.3
openssl s_client -tls1_3 -connect localhost:8443
failed miserably with no traces in the usual logs.
Turns out that the problem is
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is
disabled or cipher suites are inappropriate)
at
java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
at
java.base/sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at
java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:218)
at
java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103)
at
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:360)
with the statement
sslEngine.beginHandshake();
Suggestions:
1) catch this exception around SecureNioChannel:360 print-out the protocol(s)
and cipher(s) currently enabled and then re-throw or wrap the exception with an
enclosing exception with this info
2) In NioEndPoint$SocketProcessor.doRun():1674 do not only log if on debug
granulary, but in this case with "warn" as no ssl-handshake will ever work
3) in https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
a) mention TLSv1.3
b) say that it might have different ciphers than TLSv1.2 without overlap
(even https://www.ssllabs.com/ssltest/analyze.html?d=www.ssllabs.com only has
3)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
