https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #29 from Remy Maucherat ---
Excellent, nothing changes from TLS 1.2 basically ! That's awesome given how
annoying it is to get the thing to work (BTW, instead of the weird
handshakeCount trick, there's also a callback that can be
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #28 from Mark Thomas ---
Once I figured out how to do it, it was fairly simple. Essentially, we now use
the same approach for NIO[2]+OpenSSL for TLSv1.2 and TLS1.3. Requesting the
client certificate triggers a re-handshake with
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #27 from Mark Thomas ---
I don't know yet. I was going to start on that this morning but when I tested
it with TLSv1.2 I found that CLIENT-CERT + NIO[2]+OpenSSL wasn't working with
TLS1.2 either. I've just fixed that and I plan to
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #26 from Remy Maucherat ---
Is it really doable to have it for 9.0.13 ?
I see the algorithm you added for native, and translating it into OpenSSLEngine
isn't very easy (it needs JNI additions for that SSL.verifyClientPostHandshake,
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #25 from Mark Thomas ---
CLIENT-CERT is now working correctly (tested with the OpenSSL client) with
APR/native so if a security constraint requires CLIENT-CERT post handshake
authentication is used to request the cert from the
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #24 from Christopher Schultz ---
(In reply to Christopher Schultz from comment #23)
> It's shocking that Java is ahead of the curve on this one.
That was a pretty stupid comment. This has nothing to do with Java and
everything to
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #23 from Christopher Schultz ---
(In reply to Rainer Jung from comment #21)
> (In reply to Christopher Schultz from comment #17)
> > A quick test with Firefox 62 and Chrome 69 shows that they are still
> > connecting using TLSv1.2.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #22 from Azat ---
(In reply to Rainer Jung from comment #21)
> (In reply to Christopher Schultz from comment #17)
> > A quick test with Firefox 62 and Chrome 69 shows that they are still
> > connecting using TLSv1.2.
>
> Both are
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #21 from Rainer Jung ---
(In reply to Christopher Schultz from comment #17)
> A quick test with Firefox 62 and Chrome 69 shows that they are still
> connecting using TLSv1.2.
Both are expected to implement the final 1.3 in the
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #20 from Christopher Schultz ---
Using OpenJDK 11, a simple https:// protocol test works for both configurations
"TLSv1.2+TLSv1.3" and simply "TLSv1.3". In the former case, Firefox/Chrome
connect using TLSv1.2. For the latter case,
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #19 from Michael Osipov ---
Try sslscan(1), it can also do an HTTP request:
https://github.com/rbsec/sslscan
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #18 from Christopher Schultz ---
When using my ssltest tool[1] with OpenJDK 11, I get the following output when
configured with protocols="TLSv1.2+TLSv1.3":
Host [localhost] resolves to addresses [127.0.0.1], [0:0:0:0:0:0:0:1]
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #17 from Christopher Schultz ---
A quick test with Firefox 62 and Chrome 69 shows that they are still connecting
using TLSv1.2.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #16 from Christopher Schultz ---
A quick smoke-test using openssl appears to work.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #15 from Mark Thomas ---
I've applied those patches with some minor modifications to:
- fix the problem described in bug 62794
- ensure that the a warning is displayed when explicitly configuring TLSv1.3
but TLSv1.3 is not
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Mark Thomas changed:
What|Removed |Added
CC||ch...@christopherschultz.ne
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #13 from Mark Thomas ---
Note that it is likely that additional patches will be required to get
CLIENT_CERT working.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #12 from Azat ---
after disabling http2 on tomcat9 firefox beta returns its usual secure
connection failed just like patched tomcat 7
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #11 from Azat ---
Created attachment 36184
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36184=edit
screenshots from latest mozilla beta build with an error on tomcat 9
mozilla beta with patched tomcat 9
--
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #10 from Azat ---
I did apply the same patches to tomcat 9 src and tomcat native src
still no luck pretty much the same results ssllabs, htbridge ok ,chrome beta
fails with ERR_CONNECTION_CLOSED, firefox beta doesn't show
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #9 from Christopher Schultz ---
(In reply to Azat from comment #5)
> I did patch both tomcat7 src and tomcat-native with the patches you provided.
> Results are kind of strange.
Patching Tomcat 7 would indeed be strange. The
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #8 from Azat ---
Created attachment 36179
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36179=edit
screenshots from latest mozilla beta build with an error
I've added screenshots from the latest Mozilla beta where the
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #7 from Azat ---
the same thing happens with win 10 chrome 70 beta client, connection fails with
ERR_EMPTY_RESPONSE at the same time ssl_connect show no obvious error
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #6 from Azat ---
I must also add that the latest failing test with chrome 70 beta browser and
patched tomcat with tls final version flag enabled were done with chrome
browser installed on a WIN7 x64 machine.
I will test patched
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #5 from Azat ---
Hi Christopher!
I did patch both tomcat7 src and tomcat-native with the patches you provided.
Results are kind of strange.
Tomcat7(I took 7.0.91 src) did compile(although I should mention that tomcat 7
trunk
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #4 from Christopher Schultz ---
These two patches allow Tomcat to start up with TLSv1.3 enabled.
When performing a connection test, however, I get the following error:
$ openssl s_client -connect localhost:8443
[...]
SSL-Session:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #3 from Christopher Schultz ---
Created attachment 36175
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36175=edit
Proposed patch to enable TLSv1.3 (Tomcat/trunk)
--
You are receiving this mail because:
You are the
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Christopher Schultz changed:
What|Removed |Added
Attachment #36174|Proposed patch to enable|Proposed patch to enable
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #2 from Christopher Schultz ---
Created attachment 36174
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36174=edit
Proposed patch to enable TLSv1.3
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #1 from Christopher Schultz ---
I've been looking at this, and there are several things that need to change:
1. Tomcat itself needs to explicitly support TLSv1.3 due to how the
configuration is converted into OpenSSL
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Azat changed:
What|Removed |Added
Version|unspecified |1.2.17
--
You are receiving this mail
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
Azat changed:
What|Removed |Added
Severity|normal |enhancement
--
You are receiving this mail
33 matches
Mail list logo
