Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?
Mark, Am 08.08.2019 11:45, schrieb Mark Thomas: On 08/08/2019 10:15, Alten, Jessica-Aileen wrote: Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)? Tomcat supports configuring the ciphers for TLSv1.2 and below. Tomcat does not (yet) support configuring the ciphersuites for TLS1.3 and above. that's good to know. Any timeline (if it is necessary at all)? Does that mean if only protocol is TLSv1.3, no cipher string is used? Or only the TLS1.3 ciphers? Should "HIGH:..." work? Peter Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?
On 08/08/2019 10:15, Alten, Jessica-Aileen wrote: > Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. > So is this possibly a bug in Tomcat with openSSL 1.1.1c > and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)? Tomcat supports configuring the ciphers for TLSv1.2 and below. Tomcat does not (yet) support configuring the ciphersuites for TLS1.3 and above. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Problem with OpenSSL cipher suites -what's wrong with this configuration?
> > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using > > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle > > TLSv1.3 works, but I want to specify the allowed cipher suites as well. > > > > The relevant parts of server.xml are: > > > SSLEngine="on" /> > > ... > > > maxThreads="150" SSLEnabled="true" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> > > > > > > > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-base-8080/conf/keystore-pkcs12.jks" > > certificateKeystorePassword="mypassword" > > certificateKeystoreAlias="myalias" /> > > > > > > > > This configuration works! When I connect to the server, Firefox says > > under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, > > 128bit key, TLS 1.3). > > > > But when I try to specify the cipher suites like: > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256"> > > You have to use OpenSSL cipher names in this case. Like this... > > ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- > RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- > SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA- > AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM- > SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> This cipher suite works fine for TLSv1.2. However, I only want to use TLSv1.3 with its cipher suites. I installed openssl 1.1.1c and if I type "openssl ciphers -s -tls1_3" openSSL will return TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 in exactly this spelling, with underscores, not with hyphens as in the other cipher suites. I tried it with hyphens in Tomcat - but it does not work either. Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)? Kind regards, Jessica smime.p7s Description: S/MIME cryptographic signature
Re: Problem with OpenSSL cipher suites -what's wrong with this configuration?
Jessica, Peter Kreuser > Am 07.08.2019 um 14:33 schrieb Alten, Jessica-Aileen > : > > Dear all, > > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3 > works, but I want to specify the allowed cipher suites as well. > > The relevant parts of server.xml are: > SSLEngine="on" /> > ... >maxThreads="150" SSLEnabled="true" > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat > ion"> > > > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas > e-8080/conf/keystore-pkcs12.jks" > certificateKeystorePassword="mypassword" > certificateKeystoreAlias="myalias" /> > > > > This configuration works! When I connect to the server, Firefox says under > technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key, > TLS 1.3). > > But when I try to specify the cipher suites like: protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256"> You have to use OpenSSL cipher names in this case. Like this... ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > Tomcat throws an exception and TLS does not work! Errror code in the browser > is: SSL_ERROR_RX_RECORD_TOO_LONG The error in the logs below shows the initialization error in the ciphers attribute and thus no ciphers are available... Peter > > That is the most simplified version, first I tried these three: > ciphers=""TLS_AES_128_GCM_SHA256, > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result. > > I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat > works with openSSL and TLSv1.3 as shown above. > > The relevant part of the catalina log is: > > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR > based Apache Tomcat Native library [1.2.23] using APR version [1.7.0]. > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true]. > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > 07-Aug-2019 13:41:38.198 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.1c 28 May 2019] > 07-Aug-2019 13:41:38.370 INFORMATION [main] > org.apache.coyote.AbstractProtocol.init Initialisiere > ProtocolHandler["http-nio-8080"] > 07-Aug-2019 13:41:38.417 INFORMATION [main] > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The > ["https-openssl-apr-8181"] connector has been configured to support > negotiation to h2] via ALPN > 07-Aug-2019 13:41:38.417 INFORMATION [main] > org.apache.coyote.AbstractProtocol.init Initialisiere > ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG > [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim > initialisieren des SSL Contexts java.lang.Exception: Unable to configure > permitted SSL ciphers (error:1410D0B9:SSL > routines:SSL_CTX_set_cipher_list:no cipher match) > at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2 > 43) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247 > ) > at > org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403 > ) > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint > .java:1124) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol. > java:74) > at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 > 33) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardServ
Problem with OpenSSL cipher suites -what's wrong with this configuration?
Dear all, I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3 works, but I want to specify the allowed cipher suites as well. The relevant parts of server.xml are: ... This configuration works! When I connect to the server, Firefox says under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key, TLS 1.3). But when I try to specify the cipher suites like: Tomcat throws an exception and TLS does not work! Errror code in the browser is: SSL_ERROR_RX_RECORD_TOO_LONG That is the most simplified version, first I tried these three: ciphers=""TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result. I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat works with openSSL and TLSv1.3 as shown above. The relevant part of the catalina log is: 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.7.0]. 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 07-Aug-2019 13:41:38.183 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 07-Aug-2019 13:41:38.198 INFORMATION [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1c 28 May 2019] 07-Aug-2019 13:41:38.370 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initialisiere ProtocolHandler["http-nio-8080"] 07-Aug-2019 13:41:38.417 INFORMATION [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-apr-8181"] connector has been configured to support negotiation to h2] via ALPN 07-Aug-2019 13:41:38.417 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initialisiere ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim initialisieren des SSL Contexts java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2 43) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247 ) at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403 ) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint .java:1124) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol. java:74) at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 33) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105 9) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:584) at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Can anybody help? Kind regards, Jessica smime.p7s Description: S/MIME cryptographic signature