Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
On Thu, Oct 11, 2018 at 4:52 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Усманов, > > On 10/10/18 11:12 AM, Усманов Азат Анварович wrote: > > Thanks Cristopher, I already did. All that´s left is to get the > > latest patch backported to tomcat 7 > > For APR, it shouldn't be too much of an issue; it's just about getting > a qualifying tcnative build into tc7 and a little plumbing code. > > My *guess* right now is that Tomcat 7 will not get any back-ports for > NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete > TLSv1.3 support. > Tomcat 7 cannot get NIO2 (it needs Java 7), and it didn't get the OpenSSL engine either. So APR and vanilla JSSE with NIO (or java.io) are the only possibilities. Rémy
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/10/18 11:12 AM, Усманов Азат Анварович wrote: > Thanks Cristopher, I already did. All that´s left is to get the > latest patch backported to tomcat 7 For APR, it shouldn't be too much of an issue; it's just about getting a qualifying tcnative build into tc7 and a little plumbing code. My *guess* right now is that Tomcat 7 will not get any back-ports for NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete TLSv1.3 support. - -chris > От: Christopher Schultz > Отправлено: 10 октября 2018 г. > 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 10/6/18 17:27, Усманов Азат Анварович wrote: >> I've been searching the web for any idea why Chrome can do throw >> empty response error with tls1.3 and found this bug >> https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , >> it looks like the same sort of a problem,Interestingly enough it >> does have a fix. My knowledge of C is quite limited, so could >> anyone please look at the patch provided by these guys and see >> if it is of any use in case of tomcat-native ? > Have a look at the recent bug comments, especially Rainer's > comment about Chrome/ff versions. > > -chris > >> От: Усманов Азат Анварович >> Отправлено: 25 сентября 2018 г. 11:39 Кому: >> Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with >> APR/tomcat-native > >> Do I need to file a separate feature request for Tomcat itself? >> The one I already >> filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is >> for tomcat-native component. I looked through Tomcat changelog, >> I've found that previously TLS1.2 support was added via >> enhancement request to tomcat native . >> (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) >> ________ От: Усманов Азат Анварович >> Отправлено: 20 сентября 2018 г. 12:05:07 Кому: >> users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 >> with APR/tomcat-native > >> I did file a feature -enhancement in bugzilla > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > >> От: Christopher Schultz >> Отправлено: 19 сентября 2018 г. >> 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support >> for tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/19/18 05:56, Усманов Азат Анварович wrote: >>> Hi Christopher! I did remove supportedProtocols attribute >>> entirely (SSL Labs server test confirms it ). >> You mean that SSL Labs then tells you that other protocols are >> available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if >> TLSv1.3 is available, so testing with e.g. Chrome shouldn't be >> necessary. > >>> >> maxPostSize="10485760 " maxHttpHeaderSize="1048576" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> connectionTimeout="2" redirectPort="8443" >>> SSLHonorCipherOrder="true" >>> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >>> SSLCertificateKeyFile="/home/idis/server.key" >>> SSLCertificateChainFile="/home/idis/authorities.crt" > >>> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >>> enableLookups="false" disableUploadTimeout="true" >>> acceptCount="100" scheme="https" secure="true" >>> compression="force" >>> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384, T > >>> L > >>> > S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256- GC >> > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD > HE > > > -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >>> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES2 5 > >>> 6 > >>> > -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > >> ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >>> I did put >>> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_ S > >>> H > >>> > A256 >>> as tls 1.3 ciphers for tls 1.3 , so my guess is that more >>> work is required for tls.1.3 to work in my case > >> Yes, you will definitely
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Thanks Cristopher, I already did. All that´s left is to get the latest patch backported to tomcat 7 От: Christopher Schultz Отправлено: 10 октября 2018 г. 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/6/18 17:27, Усманов Азат Анварович wrote: > I've been searching the web for any idea why Chrome can do throw > empty response error with tls1.3 and found this bug > https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it > looks like the same sort of a problem,Interestingly enough it does > have a fix. My knowledge of C is quite limited, so could anyone > please look at the patch provided by these guys and see if it is > of any use in case of tomcat-native ? Have a look at the recent bug comments, especially Rainer's comment about Chrome/ff versions. - -chris > От: Усманов Азат Анварович > Отправлено: 25 сентября 2018 г. 11:39 Кому: > Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > Do I need to file a separate feature request for Tomcat itself? The > one I already > filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for > tomcat-native component. I looked through Tomcat changelog, I've > found that previously TLS1.2 support was added via enhancement > request to tomcat native . > (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) > От: Усманов Азат Анварович > Отправлено: 20 сентября 2018 г. 12:05:07 Кому: > users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > I did file a feature -enhancement in bugzilla > > https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > > От: Christopher Schultz > Отправлено: 19 сентября 2018 г. > 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/19/18 05:56, Усманов Азат Анварович wrote: >> Hi Christopher! I did remove supportedProtocols attribute >> entirely (SSL Labs server test confirms it ). > You mean that SSL Labs then tells you that other protocols are > available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 > is available, so testing with e.g. Chrome shouldn't be necessary. > >> > maxPostSize="10485760 " maxHttpHeaderSize="1048576" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> connectionTimeout="2" redirectPort="8443" >> SSLHonorCipherOrder="true" >> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >> SSLCertificateKeyFile="/home/idis/server.key" >> SSLCertificateChainFile="/home/idis/authorities.crt" > >> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> compression="force" >> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T L > >> S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD HE > > - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25 6 > >> - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >> I did put >> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S H > >> A256 >> as tls 1.3 ciphers for tls 1.3 , so my guess is that more work >> is required for tls.1.3 to work in my case > > Yes, you will definitely have to mention the TLSv1.3 ciphers in > order to allow a TLSv1.3 handshake to succeed. > > But yes, it does indeed look like Tomcat requires some work. > > Can you please file an enhancement request in Bugzilla? > > Thanks, -chris > >> От: Christopher Schultz >> Отправлено: 18 сентября 2018 г. >> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for >> tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>> I have a java7 web application that runs on tomcat 7.0.70 I'm >>> using Apr/tomcat-native w OpenSSL for TLS connections >>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >>> stable OpenSSL release
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 10/6/18 17:27, Усманов Азат Анварович wrote: > I've been searching the web for any idea why Chrome can do throw > empty response error with tls1.3 and found this bug > https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it > looks like the same sort of a problem,Interestingly enough it does > have a fix. My knowledge of C is quite limited, so could anyone > please look at the patch provided by these guys and see if it is > of any use in case of tomcat-native ? Have a look at the recent bug comments, especially Rainer's comment about Chrome/ff versions. - -chris > От: Усманов Азат Анварович > Отправлено: 25 сентября 2018 г. 11:39 Кому: > Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > Do I need to file a separate feature request for Tomcat itself? The > one I already > filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for > tomcat-native component. I looked through Tomcat changelog, I've > found that previously TLS1.2 support was added via enhancement > request to tomcat native . > (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) > От: Усманов Азат Анварович > Отправлено: 20 сентября 2018 г. 12:05:07 Кому: > users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > I did file a feature -enhancement in bugzilla > > https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > > От: Christopher Schultz > Отправлено: 19 сентября 2018 г. > 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/19/18 05:56, Усманов Азат Анварович wrote: >> Hi Christopher! I did remove supportedProtocols attribute >> entirely (SSL Labs server test confirms it ). > You mean that SSL Labs then tells you that other protocols are > available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 > is available, so testing with e.g. Chrome shouldn't be necessary. > >> > maxPostSize="10485760 " maxHttpHeaderSize="1048576" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> connectionTimeout="2" redirectPort="8443" >> SSLHonorCipherOrder="true" >> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >> SSLCertificateKeyFile="/home/idis/server.key" >> SSLCertificateChainFile="/home/idis/authorities.crt" > >> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> compression="force" >> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T L > >> S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD HE > > - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25 6 > >> - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >> I did put >> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S H > >> A256 >> as tls 1.3 ciphers for tls 1.3 , so my guess is that more work >> is required for tls.1.3 to work in my case > > Yes, you will definitely have to mention the TLSv1.3 ciphers in > order to allow a TLSv1.3 handshake to succeed. > > But yes, it does indeed look like Tomcat requires some work. > > Can you please file an enhancement request in Bugzilla? > > Thanks, -chris > >> От: Christopher Schultz >> Отправлено: 18 сентября 2018 г. >> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for >> tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>> I have a java7 web application that runs on tomcat 7.0.70 I'm >>> using Apr/tomcat-native w OpenSSL for TLS connections >>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >>> upgraded to it successfully. My question is if and when >>> tomcat 7 will be upgraded to support TLS1.3 through w >>> APR/tomcat-native/OpenSSL? do such plans even exi
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
I've been searching the web for any idea why Chrome can do throw empty response error with tls1.3 and found this bug https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it looks like the same sort of a problem,Interestingly enough it does have a fix. My knowledge of C is quite limited, so could anyone please look at the patch provided by these guys and see if it is of any use in case of tomcat-native ? От: Усманов Азат Анварович Отправлено: 25 сентября 2018 г. 11:39 Кому: Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native Do I need to file a separate feature request for Tomcat itself? The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) От: Усманов Азат Анварович Отправлено: 20 сентября 2018 г. 12:05:07 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and there
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Do I need to file a separate feature request for Tomcat itself? The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) От: Усманов Азат Анварович Отправлено: 20 сентября 2018 г. 12:05:07 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi Chris!Yes,ssllabs test does show TLS 1.0,and TLS 1.1 enabled when I ommit supported protocols attribute.Current version of ssllabs server test uses draft 28 version for TLS 1.3 testing, that is why I used the Chrome beta test. What steps do I need to take to file a enhancement request in Bugzilla? I'm a newbie to the tomcat users list От: Christopher Schultz Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQF
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="2" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > От: Christopher Schultz > Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release theirbrowser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj GGe+E7H7tIOywLXC9tAYXmj4CqFab9s5jTpEgD1IiphhA118WLAd97AAo5o/0t3R RcGrxMbYo3vpRYhhIAxNOnVvbfu+pxCGIc6BdeWhyzVvjutMetUyAQBujc97Em0X QpXG+V/7D55iJIFE7rhV6hpg5+/TC43oCLPn6KVQyoamLUET7rNRVzueMKPvNXow tONSSGHUOAv7hRhdvplp5aW4h3L0BgDjTdIjcPwr/YcprU/9SC2gRs+iLX5nwMwS +ZOSKufTBBqOVRLJNA3NVjfbozLZCzk3unTYrX0am2Fw3HRXnU3d4LogsDVdXUS5 xxj9+XBjcr2/wtUcufS3beuYPUQq6LR5ZNqG/XsPl3xMtg0skV2+JqQEVIEqcbnW Up/egu3bHKc/oQBsqtKNviH2gPdxw6eUTJnjtlW5d1myE8quMIU= =OwrK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi Christopher! I did remove supportedProtocols attribute entirely (SSL Labs server test confirms it ).I also did install chrome 70 beta and did enable TLS 1.3 final version in it ,but the security tab in chrome still shows tls 1.2 as my protocol and no tls 1.3. Here is my connectorf form the server.xml I did put TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256 as tls 1.3 ciphers for tls 1.3 , so my guess is that more work is required for tls.1.3 to work in my case От: Christopher Schultz Отправлено: 18 сентября 2018 г. 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: > I have a java7 web application that runs on tomcat 7.0.70 I'm > using Apr/tomcat-native w OpenSSL for TLS connections > .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest > stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded > to it successfully. My question is if and whentomcat 7 will > be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? > do such plans even exist? Try not specifying any "supported protocol" (e.g. allow all protocol flavors), and OpenSSL should allow TLSv1.3 to be negotiated. > I'm guessing it will not happen at least untill both Chrome and > firefox release theirbrowser updates for RFC8446 support > (which are both scheduled for Mid october Crome 70 and firefox 63) > but would like to know more about it I for one would like to see TLSv1.3 supported as quickly as possible. The OpenSSL project states that 1.1.1 is a drop-in API- and ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should "just work" under certain conditions. Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by default which might make things tricky when trying to accept "all protocols" as described above. Please let me know if you have any success with an out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat that might *prevent* TLSv1.3 from being available. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org GPG Suite<http://gpgtools.org/> gpgtools.org Everything you need to get started with secure communication and encrypting files in one simple package leveraging the power of OpenPGP/GPG Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8 pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv 64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl 5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3 Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU +2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo= =uNao -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Усманов, On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: > I have a java7 web application that runs on tomcat 7.0.70 I'm > using Apr/tomcat-native w OpenSSL for TLS connections > .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest > stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded > to it successfully. My question is if and whentomcat 7 will > be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? > do such plans even exist? Try not specifying any "supported protocol" (e.g. allow all protocol flavors), and OpenSSL should allow TLSv1.3 to be negotiated. > I'm guessing it will not happen at least untill both Chrome and > firefox release theirbrowser updates for RFC8446 support > (which are both scheduled for Mid october Crome 70 and firefox 63) > but would like to know more about it I for one would like to see TLSv1.3 supported as quickly as possible. The OpenSSL project states that 1.1.1 is a drop-in API- and ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should "just work" under certain conditions. Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by default which might make things tricky when trying to accept "all protocols" as described above. Please let me know if you have any success with an out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat that might *prevent* TLSv1.3 from being available. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8 pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv 64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl 5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3 Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU +2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo= =uNao -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TLS1.3 support for tomcat 7 with APR/tomcat-native
Hi everyone! I have a java7 web application that runs on tomcat 7.0.70 I'm using Apr/tomcat-native w OpenSSL for TLS connections .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded to it successfully. My question is if and when tomcat 7 will be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? do such plans even exist? I'm guessing it will not happen at least untill both Chrome and firefox release theirbrowser updates for RFC8446 support (which are both scheduled for Mid october Crome 70 and firefox 63) but would like to know more about it