subject:"Problem with OpenSSL cipher suites \-what's wrong with this configuration\?"

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

2019-08-08 Thread logo


Mark,

Am 08.08.2019 11:45, schrieb Mark Thomas:

On 08/08/2019 10:15, Alten, Jessica-Aileen wrote:

Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 
1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c
and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 
1.2)?


Tomcat supports configuring the ciphers for TLSv1.2 and below.

Tomcat does not (yet) support configuring the ciphersuites for TLS1.3
and above.


that's good to know. Any timeline (if it is necessary at all)? Does that 
mean if only protocol is TLSv1.3, no cipher string is used? Or only the 
TLS1.3 ciphers? Should "HIGH:..." work?


Peter



Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

2019-08-08 Thread Mark Thomas

On 08/08/2019 10:15, Alten, Jessica-Aileen wrote:

> Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. 
> So is this possibly a bug in Tomcat with openSSL 1.1.1c
> and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)?

Tomcat supports configuring the ciphers for TLSv1.2 and below.

Tomcat does not (yet) support configuring the ciphersuites for TLS1.3
and above.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Problem with OpenSSL cipher suites -what's wrong with this configuration?

2019-08-08 Thread Alten, Jessica-Aileen

> > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3  using
> > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle
> > TLSv1.3 works, but I want to specify the allowed cipher suites as well.
> >
> > The relevant parts of server.xml are:
> >  > SSLEngine="on" />
> > ...
> >  >   maxThreads="150" SSLEnabled="true"
> > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
> >
> >
> >  > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-base-8080/conf/keystore-pkcs12.jks"
> >   certificateKeystorePassword="mypassword" 
> > certificateKeystoreAlias="myalias" />
> >
> > 
> >
> > This configuration works!  When I connect to the server, Firefox says
> > under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256,
> > 128bit key, TLS 1.3).
> >
> > But when I try to specify the cipher suites like:  > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
> 
> You have to use OpenSSL cipher names in this case. Like this...
> 
> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
> RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-
> AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-
> SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">

This cipher suite works fine for TLSv1.2. However, I only want to use TLSv1.3 
with its cipher suites. 
I installed openssl 1.1.1c and if I type "openssl ciphers -s -tls1_3" openSSL 
will return
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
in exactly this spelling, with underscores, not with hyphens as in the other 
cipher suites. I tried it with hyphens in Tomcat - but
it does not work either.

Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So 
is this possibly a bug in Tomcat with openSSL 1.1.1c
and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)?

Kind regards,
Jessica


smime.p7s
Description: S/MIME cryptographic signature

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

2019-08-07 Thread Peter Kreuser


Jessica,




Peter Kreuser
> Am 07.08.2019 um 14:33 schrieb Alten, Jessica-Aileen 
> :
> 
> Dear all,
> 
> I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using
> jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3
> works, but I want to specify the allowed cipher suites as well.
> 
> The relevant parts of server.xml are:
>   SSLEngine="on" />
> ...
>maxThreads="150" SSLEnabled="true"
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
> ion">
>
>
>  certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas
> e-8080/conf/keystore-pkcs12.jks"
>   certificateKeystorePassword="mypassword"
> certificateKeystoreAlias="myalias" />
>
> 
> 
> This configuration works!  When I connect to the server, Firefox says under
> technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key,
> TLS 1.3).
> 
> But when I try to specify the cipher suites like:  protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">

You have to use OpenSSL cipher names in this case. Like this...

ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">

> Tomcat throws an exception and TLS does not work! Errror code in the browser
> is: SSL_ERROR_RX_RECORD_TOO_LONG

The error in the logs below shows the initialization error in the ciphers 
attribute and thus no ciphers are available...

Peter
> 
> That is the most simplified version, first I tried these three:
> ciphers=""TLS_AES_128_GCM_SHA256,
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result.
> 
> I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat
> works with openSSL and TLSv1.3 as shown above.
> 
> The relevant part of the catalina log is:
> 
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
> based Apache Tomcat Native library [1.2.23] using APR version [1.7.0].
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> configuration: useAprConnector [false], useOpenSSL [true]
> 07-Aug-2019 13:41:38.198 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.1.1c  28 May 2019]
> 07-Aug-2019 13:41:38.370 INFORMATION [main]
> org.apache.coyote.AbstractProtocol.init Initialisiere
> ProtocolHandler["http-nio-8080"]
> 07-Aug-2019 13:41:38.417 INFORMATION [main]
> org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
> ["https-openssl-apr-8181"] connector has been configured to support
> negotiation to h2] via ALPN
> 07-Aug-2019 13:41:38.417 INFORMATION [main]
> org.apache.coyote.AbstractProtocol.init Initialisiere
> ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG
> [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
> initialisieren des SSL Contexts java.lang.Exception: Unable to configure
> permitted SSL ciphers (error:1410D0B9:SSL
> routines:SSL_CTX_set_cipher_list:no cipher match)
> at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
> at
> org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2
> 43)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
> )
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403
> )
> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) 
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint
> .java:1124)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.
> java:74)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> 33)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServ

Problem with OpenSSL cipher suites -what's wrong with this configuration?

2019-08-07 Thread Alten, Jessica-Aileen

Dear all,

I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using
jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3
works, but I want to specify the allowed cipher suites as well.

The relevant parts of server.xml are:
  
...



 



This configuration works!  When I connect to the server, Firefox says under
technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key,
TLS 1.3).

But when I try to specify the cipher suites like: 
Tomcat throws an exception and TLS does not work! Errror code in the browser
is: SSL_ERROR_RX_RECORD_TOO_LONG

That is the most simplified version, first I tried these three:
ciphers=""TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result.

I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat
works with openSSL and TLSv1.3 as shown above.

The relevant part of the catalina log is:

07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.7.0].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
07-Aug-2019 13:41:38.198 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1c  28 May 2019]
07-Aug-2019 13:41:38.370 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["http-nio-8080"]
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
["https-openssl-apr-8181"] connector has been configured to support
negotiation to h2] via ALPN
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG
[main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
initialisieren des SSL Contexts java.lang.Exception: Unable to configure
permitted SSL ciphers (error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2
43)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403
)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) 
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint
.java:1124)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.
java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
33)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105
9)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)


Can anybody help?

Kind regards,
Jessica



smime.p7s
Description: S/MIME cryptographic signature

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

RE: Problem with OpenSSL cipher suites -what's wrong with this configuration?

Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?

Problem with OpenSSL cipher suites -what's wrong with this configuration?

5 matches

Site Navigation

Mail list logo

Footer information