correct usage of properties to supply database port
On 3/11/2022 9:40 AM, Rob Sargent wrote: On Mar 11, 2022, at 8:17 AM, Thomas Hoffmann (Speed4Trade GmbH) wrote: -Ursprüngliche Nachricht- Von: Rob Sargent Gesendet: Freitag, 11. März 2022 15:14 An: Tomcat Users List Betreff: Re: correct usage of properties to supply database port On Mar 11, 2022, at 6:50 AM, Mark H. Wood wrote: On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote: About context/context/value: I have this context.xml. Is the value correctly inside the outer Context? I don't think you can nest s that way, and I'm not sure what it would mean. I would remove the inner pair. -- Mark H. Wood Lead Technology Analyst Thanks. I’ll take a look at that. I don’t see any related error messages but I’ll check my logging. Thanks Nesting of Context is not allowed as far as I know. The documentation tells, which parent nodes/Elements are allowed , e.g. valve: https://tomcat.apache.org/tomcat-10.0-doc/config/valve.html only allowed in host, Context or Engine Element. Ok. Thanks for digging in to that. I am not able to investigate (or correct) at the moment Related warnings from your initial post: WARNING: No rules found matching [Context/Context/Valve] WARNING: No rules found matching [Context/Context] -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Torsten, On 3/11/22 06:03, Torsten Krah wrote: It seems to me you are listing a cipher that might be correct according to the OpenSSL documentation, but then whether that is available to your JVM may be different. That is for sure not the problem - just use the "ciphers.sh" from the binary directory of tomcat which will list you all possible ciphers you can use - and those match the ones I want to use. Maybe you can run some small java application on the very same JVM to simply list the supported ciphers? At least that would give you an authorative list of ciphers you can put into the configuration file. No need for that, tomcat already has that - use ciphers.sh . As Thomas found, it is a known bug / missing feature of tomcat - you can't configure TLS 1.3 ciphers in tomcat yet if you want to use the OpenSSL native implementation and Mark Thomas confirmed that here: https://lists.apache.org/thread/q8lmp40xkn0b4k4o6n05n9fyttlvmd22 That was 08/2019 - but it still is unsupported in 03/2022 - maybe I'll do a patch for that one ;). If you do, please make sure you use appropriate #ifdefs in order to allow it to compile against multiple versions of OpenSSL, not just whatever version you happen to have installed on your local machine. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Connection Closed Errors From JDBC-Pool
Greetings! I have a problem, possibly (or not) tied to the Tomcat-JDBC Pool. Here is the rundown: Application Server: Apache Tomcat 9.0.56 JDBC Connection Pool: org.apache.tomcat.jdbc.pool.DataSource; Tomcat-JDBC 9.0.56 Oracle Version: Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production Java Driver: com.oracle.database.jdbc::ojdbc11 21.4.0.0.1 All of this running on Amazon ECS running between 8 and 20 instances depending on load Configuration of Pool: Problem: We are experiencing sporadic spikes where connections are being closed even though they are in use, or are returned by the connection pool already closed. This is a high volume API, and it can go days without this happening and then suddenly it will have a spike out of nowhere. This does not seem to be tied to any long running activity we can find. I can see instances where a request got a connection from the pool and it failed on the first attempt to use just milliseconds after it was returned. Furthermore it seems to happen randomly in batches where hundreds of these happen at once on a single JVM, then won't happen again for days. There are a few different scenarios where we see this, sometimes it occurs inside of the connection pool, in this case we see a message about not being able to clear warnings, but not much else. The stack trace gets truncated after a while but in these cases there is no sub-exception. It's just the one, this error in the pool propagates up and out and results in a failed request. Message: Unable to clear Warnings, connection will be closed. Logger: org.apache.tomcat.jdbc.pool.PooledConnection Exception: java.sql.SQLRecoverableException: Closed Connection at oracle.jdbc.driver.PhysicalConnection.requireOpenConnection(PhysicalConnection.java:11773) at oracle.jdbc.driver.PhysicalConnection.clearWarnings(PhysicalConnection.java:3526) at org.apache.tomcat.jdbc.pool.PooledConnection.clearWarnings(PooledConnection.java:875) at org.apache.tomcat.jdbc.pool.ConnectionPool.returnConnection(ConnectionPool.java:1019) at org.apache.tomcat.jdbc.pool.ProxyConnection.invoke(ProxyConnection.java:103) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.interceptor.AbstractCreateStatementInterceptor.invoke(AbstractCreateStatementInterceptor.java:69) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.interceptor.ConnectionState.invoke(ConnectionState.java:158) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.TrapException.invoke(TrapException.java:39) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.interceptor.AbstractCreateStatementInterceptor.invoke(AbstractCreateStatementInterceptor.java:69) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.DisposableConnectionFacade.invoke(DisposableConnectionFacade.java:81) at com.sun.proxy.$Proxy94.close(Unknown Source) Sometimes we see a similar error AFTER the connection has been returned from the pool: message (example, lots of different queries): Resolved [org.springframework.dao.RecoverableDataAccessException: PreparedStatementCallback; SQL [**]; Closed Connection; nested exception is java.sql.SQLRecoverableException: Closed Connection] exception: java.sql.SQLRecoverableException: Closed Connection at oracle.jdbc.driver.PhysicalConnection.requireOpenConnection(PhysicalConnection.java:11773) at oracle.jdbc.driver.PhysicalConnection.prepareStatementInternal(PhysicalConnection.java:2354) at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:2309) at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:2300) at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:2211) at jdk.internal.reflect.GeneratedMethodAccessor194.invoke(Unknown Source) at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:566) at org.apache.tomcat.jdbc.pool.ProxyConnection.invoke(ProxyConnection.java:131) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.interceptor.AbstractCreateStatementInterceptor.invoke(AbstractCreateStatementInterceptor.java:75) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.interceptor.ConnectionState.invoke(ConnectionState.java:158) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at org.apache.tomcat.jdbc.pool.TrapException.invoke(TrapException.java:39) at org.apache.tomcat.jdbc.pool.JdbcInterceptor.invoke(JdbcInterceptor.java:109) at
Re: correct usage of properties to supply database port
> On Mar 11, 2022, at 8:17 AM, Thomas Hoffmann (Speed4Trade GmbH)
> wrote:
>
>
>
>> -Ursprüngliche Nachricht-
>> Von: Rob Sargent
>> Gesendet: Freitag, 11. März 2022 15:14
>> An: Tomcat Users List
>> Betreff: Re: correct usage of properties to supply database port
>>
>>
>>
On Mar 11, 2022, at 6:50 AM, Mark H. Wood wrote:
>>>
>>> On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote:
About context/context/value: I have this context.xml. Is the value
correctly inside the outer Context?
>>> name="jdbc/sgsdb/tbar"
url="jdbc:postgresql://localhost:5432:/tbar"
driverClassName="org.postgresql.Driver"
type="javax.sql.DataSource"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
testWhileIdle="false"
testOnBorrow="true"
testOnReturn="false"
validationInterval="3"
validationQuery="select 1"
timeBetweenEvictionRunsMillis="3"
maxActive="50"
initialSize="3"
maxWait="1"
removeAbandonedTimeout="3600"
removeAbandoned="true"
minEvictableIdleTimeMillis="3"
minIdle="1"
maxIdle="5"
logAbandoned="true"
username="shoc"
password="password"
/>
>>>className="org.apache.catalina.valves.AccessLogValve"
prefix="sgs_access"
directory="${SGSSRVR_AccessLogDir}"
maxDays="7">
>>>
>>> I don't think you can nest s that way, and I'm not sure what
>>> it would mean. I would remove the inner pair.
>>>
>>> --
>>> Mark H. Wood
>>> Lead Technology Analyst
>>
>> Thanks. I’ll take a look at that. I don’t see any related error messages but
>> I’ll
>> check my logging.
>> Thanks
>>
>>
> Nesting of Context is not allowed as far as I know.
> The documentation tells, which parent nodes/Elements are allowed , e.g. valve:
> https://tomcat.apache.org/tomcat-10.0-doc/config/valve.html
> only allowed in host, Context or Engine Element.
>
>
Ok. Thanks for digging in to that. I am not able to investigate (or correct) at
the moment
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: correct usage of properties to supply database port
> -Ursprüngliche Nachricht-
> Von: Rob Sargent
> Gesendet: Freitag, 11. März 2022 15:14
> An: Tomcat Users List
> Betreff: Re: correct usage of properties to supply database port
>
>
>
> > On Mar 11, 2022, at 6:50 AM, Mark H. Wood wrote:
> >
> > On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote:
> >> About context/context/value: I have this context.xml. Is the value
> >> correctly inside the outer Context?
> >>
> >>
> >>
> >>>> name="jdbc/sgsdb/tbar"
> >> url="jdbc:postgresql://localhost:5432:/tbar"
> >> driverClassName="org.postgresql.Driver"
> >> type="javax.sql.DataSource"
> >> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
> >> testWhileIdle="false"
> >> testOnBorrow="true"
> >> testOnReturn="false"
> >> validationInterval="3"
> >> validationQuery="select 1"
> >> timeBetweenEvictionRunsMillis="3"
> >> maxActive="50"
> >> initialSize="3"
> >> maxWait="1"
> >> removeAbandonedTimeout="3600"
> >> removeAbandoned="true"
> >> minEvictableIdleTimeMillis="3"
> >> minIdle="1"
> >> maxIdle="5"
> >> logAbandoned="true"
> >> username="shoc"
> >> password="password"
> >> />
> >>
> >>
> >> >> className="org.apache.catalina.valves.AccessLogValve"
> >> prefix="sgs_access"
> >> directory="${SGSSRVR_AccessLogDir}"
> >> maxDays="7">
> >>
> >>
> >>
> >
> > I don't think you can nest s that way, and I'm not sure what
> > it would mean. I would remove the inner pair.
> >
> > --
> > Mark H. Wood
> > Lead Technology Analyst
>
> Thanks. I’ll take a look at that. I don’t see any related error messages but
> I’ll
> check my logging.
> Thanks
>
>
Nesting of Context is not allowed as far as I know.
The documentation tells, which parent nodes/Elements are allowed , e.g. valve:
https://tomcat.apache.org/tomcat-10.0-doc/config/valve.html
only allowed in host, Context or Engine Element.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: correct usage of properties to supply database port
> On Mar 11, 2022, at 6:50 AM, Mark H. Wood wrote:
>
> On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote:
>> About context/context/value: I have this context.xml. Is the value
>> correctly inside the outer Context?
>>
>>
>>
>> > name="jdbc/sgsdb/tbar"
>> url="jdbc:postgresql://localhost:5432:/tbar"
>> driverClassName="org.postgresql.Driver"
>> type="javax.sql.DataSource"
>> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
>> testWhileIdle="false"
>> testOnBorrow="true"
>> testOnReturn="false"
>> validationInterval="3"
>> validationQuery="select 1"
>> timeBetweenEvictionRunsMillis="3"
>> maxActive="50"
>> initialSize="3"
>> maxWait="1"
>> removeAbandonedTimeout="3600"
>> removeAbandoned="true"
>> minEvictableIdleTimeMillis="3"
>> minIdle="1"
>> maxIdle="5"
>> logAbandoned="true"
>> username="shoc"
>> password="password"
>> />
>>
>>
>> > className="org.apache.catalina.valves.AccessLogValve"
>> prefix="sgs_access"
>> directory="${SGSSRVR_AccessLogDir}"
>> maxDays="7">
>>
>>
>>
>
> I don't think you can nest s that way, and I'm not sure what
> it would mean. I would remove the inner pair.
>
> --
> Mark H. Wood
> Lead Technology Analyst
Thanks. I’ll take a look at that. I don’t see any related error messages but
I’ll check my logging.
Thanks
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: correct usage of properties to supply database port
On Thu, Mar 10, 2022 at 09:40:48AM -0700, Rob Sargent wrote:
> About context/context/value: I have this context.xml. Is the value
> correctly inside the outer Context?
>
>
>
> name="jdbc/sgsdb/tbar"
> url="jdbc:postgresql://localhost:5432:/tbar"
> driverClassName="org.postgresql.Driver"
> type="javax.sql.DataSource"
> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
> testWhileIdle="false"
> testOnBorrow="true"
> testOnReturn="false"
> validationInterval="3"
> validationQuery="select 1"
> timeBetweenEvictionRunsMillis="3"
> maxActive="50"
> initialSize="3"
> maxWait="1"
> removeAbandonedTimeout="3600"
> removeAbandoned="true"
> minEvictableIdleTimeMillis="3"
> minIdle="1"
> maxIdle="5"
> logAbandoned="true"
> username="shoc"
> password="password"
> />
>
>
> className="org.apache.catalina.valves.AccessLogValve"
> prefix="sgs_access"
> directory="${SGSSRVR_AccessLogDir}"
> maxDays="7">
>
>
>
I don't think you can nest s that way, and I'm not sure what
it would mean. I would remove the inner pair.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: PGP signature
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> It seems to me you are listing a cipher that might be correct > according to the OpenSSL documentation, but then whether that is > available to your JVM may be different. That is for sure not the problem - just use the "ciphers.sh" from the binary directory of tomcat which will list you all possible ciphers you can use - and those match the ones I want to use. > > Maybe you can run some small java application on the very same JVM to > simply list the supported ciphers? At least that would give you an > authorative list of ciphers you can put into the configuration file. No need for that, tomcat already has that - use ciphers.sh . As Thomas found, it is a known bug / missing feature of tomcat - you can't configure TLS 1.3 ciphers in tomcat yet if you want to use the OpenSSL native implementation and Mark Thomas confirmed that here: https://lists.apache.org/thread/q8lmp40xkn0b4k4o6n05n9fyttlvmd22 That was 08/2019 - but it still is unsupported in 03/2022 - maybe I'll do a patch for that one ;). kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
CONFIDENTIAL & RESTRICTED Hello Torsten. It seems to me you are listing a cipher that might be correct according to the OpenSSL documentation, but then whether that is available to your JVM may be different. Maybe you can run some small java application on the very same JVM to simply list the supported ciphers? At least that would give you an authorative list of ciphers you can put into the configuration file. And on another level: Could Tomcat list the supported ciphers as part of the exception text? This would neither consume performance because we are in error state anyway and give a direct hint for all future encounters of this problem. Hiran -Original Message- From: Torsten Krah Sent: Friday, March 11, 2022 9:51 To: users@tomcat.apache.org Subject: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) CAUTION: External mail. Be careful with links and attachments. Interesting exception on startup when using TLS 1.3 only - configured the connector like this: using only TLS 1.3 and the configured ciphers but now I get this on startup: 11-Mar-2022 09:43:42.753 WARNUNG [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim initialisieren des SSL Contexts java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:329) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:144) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) The cipher names does match: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.openssl.org%2Findex.php%2FTLS1.3%23Ciphersuitesdata=04%7C01%7C%7C6906465697414d1c2b3b08da033c40bb%7Cb3f4f7c272ce4192aba4d6c7719b5766%7C0%7C0%7C637825898789079215%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=2KWhK88gs8TleiI1rCujofD%2Fz5t%2B%2F1CUwP0imfcR8bg%3Dreserved=0 and https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8446%23appendix-B.4data=04%7C01%7C%7C6906465697414d1c2b3b08da033c40bb%7Cb3f4f7c272ce4192aba4d6c7719b5766%7C0%7C0%7C637825898789079215%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=WUut0yFyPkEaaHrkOwu0Xlcozrowd7sdKdKEiCk4O18%3Dreserved=0 I am lost at that point, maybe someone has an idea. kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use of the individual or entity shown above as addressees . It may contain information which is privileged, confidential or otherwise
AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 10:30 > An: users@tomcat.apache.org > Betreff: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Am Freitag, dem 11.03.2022 um 09:17 + schrieb Thomas Hoffmann > (Speed4Trade GmbH): > > The configuration which works for me is: > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpl > > ementation" > > > >maxThreads="150" minSpareThreads="25" > > > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > > > >enableLookups="false" disableUploadTimeout="true" > > > >acceptCount="100" scheme="https" secure="true" > > > >SSLEnabled="true"> > > > > > > > disab > > leSessionTickets="true" > > > > honor > > CipherOrder="false" > > > > proto > > cols="+TLSv1.2,+TLSv1.3"> > > > I am using: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > and in combination with the native APR in place it does the correct thing, > using OpenSSL - and the error shows that this is in place. > > The list of protocols can be either of those - see the > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html ciphers docs: > > > The ciphers to enable using the OpenSSL syntax. (See the OpenSSL > documentation for the list of ciphers supported and the syntax). > Alternatively, a comma separated list of ciphers using the standard > OpenSSL cipher names or the standard JSSE cipher names may be used. > > > Your example does not have any TLS 1.3 cipher listet - so you just get > the 3 defaults (which I want / need to change) - and as seen in the > code it won't work anyway, because it does not call: > > SSL_CTX_set_ciphersuites() > > to set the 1.3 suites. > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello Torsten, that article seems to confirm your research on this topic: https://stackoverflow.com/questions/68802712/tomcat-9-0-48not-starting-with-tlsv1-3-and-explicit-ciphers-in-server-xml-ssl Seems to only work with Java implementation, not with openssl at the moment.
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Am Freitag, dem 11.03.2022 um 09:17 + schrieb Thomas Hoffmann (Speed4Trade GmbH): > The configuration which works for me is: > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpl > ementation" > >maxThreads="150" minSpareThreads="25" > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > >enableLookups="false" disableUploadTimeout="true" > >acceptCount="100" scheme="https" secure="true" > >SSLEnabled="true"> > > > disab > leSessionTickets="true" > > honor > CipherOrder="false" > > proto > cols="+TLSv1.2,+TLSv1.3"> I am using: protocol="org.apache.coyote.http11.Http11Nio2Protocol" and in combination with the native APR in place it does the correct thing, using OpenSSL - and the error shows that this is in place. The list of protocols can be either of those - see the https://tomcat.apache.org/tomcat-9.0-doc/config/http.html ciphers docs: The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). Alternatively, a comma separated list of ciphers using the standard OpenSSL cipher names or the standard JSSE cipher names may be used. Your example does not have any TLS 1.3 cipher listet - so you just get the 3 defaults (which I want / need to change) - and as seen in the code it won't work anyway, because it does not call: SSL_CTX_set_ciphersuites() to set the 1.3 suites. kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Am Freitag, dem 11.03.2022 um 10:09 +0100 schrieb Torsten Krah:
> So it seems like a bug to me, right?
I had a quick look on the JNI SSLContext code + the native
implementation:
TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
jstring ciphers)
{
jboolean rv = JNI_TRUE;
SSL *ssl_ = J2P(ssl, SSL *);
TCN_ALLOC_CSTRING(ciphers);
UNREFERENCED_STDARGS;
if (ssl_ == NULL) {
TCN_FREE_CSTRING(ciphers);
tcn_ThrowException(e, "ssl is null");
return JNI_FALSE;
}
UNREFERENCED(o);
if (!J2S(ciphers)) {
TCN_FREE_CSTRING(ciphers);
return JNI_FALSE;
}
if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
char err[256];
ERR_error_string(SSL_ERR_get(), err);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
rv = JNI_FALSE;
}
TCN_FREE_CSTRING(ciphers);
return rv;
}
and this one does really use SSL_set_cipher_list even for TLS 1.3 -
that won't work.
Can anyone confirm that? Should I open a bug here:
https://bz.apache.org/bugzilla/enter_bug.cgi
about that?
kind regards
Torsten
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 10:01 > An: users@tomcat.apache.org > Betreff: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Am Freitag, dem 11.03.2022 um 08:52 + schrieb Thomas Hoffmann > (Speed4Trade GmbH): > > Hello, > > > > the protocol attribute looks a bit strange. > > > > I think it should be: > > > > protocols="+TLSv1.2,+TLSv1.3"> > > I tried standalone TLS 1.3 like you suggested: > > protocols="+TLSv1.3" > > still the same exception: > > > 11-Mar-2022 09:57:41.996 WARNUNG [main] > org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim > initialisieren des SSL Contexts > java.lang.Exception: Unable to configure permitted SSL ciphers > (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) > > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello, Java and openssl uses different naming. So sslImplementationName is also important. The configuration which works for me is: ... Greetings, Thomas
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Am Freitag, dem 11.03.2022 um 09:50 +0100 schrieb Torsten Krah: > (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) Reading that message and looking at: https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites there it is written that with TLS 1.3: Applications should use the SSL_CTX_set_ciphersuites() or SSL_set_ciphersuites() functions to configure TLSv1.3 ciphersuites. Seems tomcat is using *SSL_CTX_set_cipher_list* instead of *SSL_CTX_set_ciphersuites* - maybe someone with knowledge here can confirm that theory. Reading: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html there is this: SSL_CTX_set_cipher_list() sets the list of available ciphers (TLSv1.2 and below) for ctx using the control string str. The format of the string is described in openssl-ciphers(1). The list of ciphers is inherited by all ssl objects created from ctx. This function does not impact TLSv1.3 ciphersuites. Use SSL_CTX_set_ciphersuites() to configure those. So it seems like a bug to me, right? kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Am Freitag, dem 11.03.2022 um 08:52 + schrieb Thomas Hoffmann (Speed4Trade GmbH): > Hello, > > the protocol attribute looks a bit strange. > > I think it should be: > > protocols="+TLSv1.2,+TLSv1.3"> I tried standalone TLS 1.3 like you suggested: protocols="+TLSv1.3" still the same exception: 11-Mar-2022 09:57:41.996 WARNUNG [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim initialisieren des SSL Contexts java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 09:35 > An: users@tomcat.apache.org > Betreff: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Hi, > > I am using Tomcat 9.0.59 and configured it like that: > > > ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES > _128_CCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EC > DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GC > M_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"> > ... > > > Output is: > > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true], > UDS [true]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.1k 25 Mar 2021] > > > Using testssl I had a look on the ciphers configured and they match my > expectations for TLS 1.2 but the TLS 1.3 ones are ignored - the standard > ciphers activated in openssl are still used according to: > > https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites > > Output of testssl: > > Cipher order > TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM- > SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 > TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 > TLS_AES_128_GCM_SHA256 > > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits > Cipher Suite Name (IANA/RFC) > -- > --- > x1302 TLS_AES_256_GCM_SHA384ECDH 253 AESGCM 256 > TLS_AES_256_GCM_SHA384 > x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20256 > TLS_CHACHA20_POLY1305_SHA256 > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > x9f DHE-RSA-AES256-GCM-SHA384 DH 4096AESGCM 256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > x1301 TLS_AES_128_GCM_SHA256ECDH 253 AESGCM 128 > TLS_AES_128_GCM_SHA256 > xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > x9e DHE-RSA-AES128-GCM-SHA256 DH 4096AESGCM 128 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > > How to configure the TLS 1.3 ciphers? > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello, the protocol attribute looks a bit strange. I think it should be: protocols="+TLSv1.2,+TLSv1.3">
Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Interesting exception on startup when using TLS 1.3 only - configured the connector like this: using only TLS 1.3 and the configured ciphers but now I get this on startup: 11-Mar-2022 09:43:42.753 WARNUNG [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim initialisieren des SSL Contexts java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:329) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:144) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) The cipher names does match: https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites and https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4 I am lost at that point, maybe someone has an idea. kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
Hi, I am using Tomcat 9.0.59 and configured it like that: ... Output is: [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true]. [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k 25 Mar 2021] Using testssl I had a look on the ciphers configured and they match my expectations for TLS 1.2 but the TLS 1.3 ones are ignored - the standard ciphers activated in openssl are still used according to: https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites Output of testssl: Cipher order TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) - x1302 TLS_AES_256_GCM_SHA384ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 x9f DHE-RSA-AES256-GCM-SHA384 DH 4096AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 x1301 TLS_AES_128_GCM_SHA256ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 x9e DHE-RSA-AES128-GCM-SHA256 DH 4096AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 How to configure the TLS 1.3 ciphers? kind regards Torsten - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
