AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 10:30 > An: users@tomcat.apache.org > Betreff: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Am Freitag, dem 11.03.2022 um 09:17 + schrieb Thomas Hoffmann > (Speed4Trade GmbH): > > The configuration which works for me is: > > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > > > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpl > > ementation" > > > >maxThreads="150" minSpareThreads="25" > > > >URIEncoding="UTF-8" useBodyEncodingForURI="false" > > > >enableLookups="false" disableUploadTimeout="true" > > > >acceptCount="100" scheme="https" secure="true" > > > >SSLEnabled="true"> > > > > > > > disab > > leSessionTickets="true" > > > > honor > > CipherOrder="false" > > > > proto > > cols="+TLSv1.2,+TLSv1.3"> > > > I am using: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > and in combination with the native APR in place it does the correct thing, > using OpenSSL - and the error shows that this is in place. > > The list of protocols can be either of those - see the > https://tomcat.apache.org/tomcat-9.0-doc/config/http.html ciphers docs: > > > The ciphers to enable using the OpenSSL syntax. (See the OpenSSL > documentation for the list of ciphers supported and the syntax). > Alternatively, a comma separated list of ciphers using the standard > OpenSSL cipher names or the standard JSSE cipher names may be used. > > > Your example does not have any TLS 1.3 cipher listet - so you just get > the 3 defaults (which I want / need to change) - and as seen in the > code it won't work anyway, because it does not call: > > SSL_CTX_set_ciphersuites() > > to set the 1.3 suites. > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello Torsten, that article seems to confirm your research on this topic: https://stackoverflow.com/questions/68802712/tomcat-9-0-48not-starting-with-tlsv1-3-and-explicit-ciphers-in-server-xml-ssl Seems to only work with Java implementation, not with openssl at the moment.
AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 10:01 > An: users@tomcat.apache.org > Betreff: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Am Freitag, dem 11.03.2022 um 08:52 + schrieb Thomas Hoffmann > (Speed4Trade GmbH): > > Hello, > > > > the protocol attribute looks a bit strange. > > > > I think it should be: > > > > protocols="+TLSv1.2,+TLSv1.3"> > > I tried standalone TLS 1.3 like you suggested: > > protocols="+TLSv1.3" > > still the same exception: > > > 11-Mar-2022 09:57:41.996 WARNUNG [main] > org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim > initialisieren des SSL Contexts > java.lang.Exception: Unable to configure permitted SSL ciphers > (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) > > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello, Java and openssl uses different naming. So sslImplementationName is also important. The configuration which works for me is: ... Greetings, Thomas
AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> -Ursprüngliche Nachricht- > Von: Torsten Krah > Gesendet: Freitag, 11. März 2022 09:35 > An: users@tomcat.apache.org > Betreff: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Hi, > > I am using Tomcat 9.0.59 and configured it like that: > > > ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES > _128_CCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EC > DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GC > M_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"> > ... > > > Output is: > > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true], > UDS [true]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.1k 25 Mar 2021] > > > Using testssl I had a look on the ciphers configured and they match my > expectations for TLS 1.2 but the TLS 1.3 ones are ignored - the standard > ciphers activated in openssl are still used according to: > > https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites > > Output of testssl: > > Cipher order > TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM- > SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 > TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 > TLS_AES_128_GCM_SHA256 > > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits > Cipher Suite Name (IANA/RFC) > -- > --- > x1302 TLS_AES_256_GCM_SHA384ECDH 253 AESGCM 256 > TLS_AES_256_GCM_SHA384 > x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20256 > TLS_CHACHA20_POLY1305_SHA256 > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > x9f DHE-RSA-AES256-GCM-SHA384 DH 4096AESGCM 256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > x1301 TLS_AES_128_GCM_SHA256ECDH 253 AESGCM 128 > TLS_AES_128_GCM_SHA256 > xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > x9e DHE-RSA-AES128-GCM-SHA256 DH 4096AESGCM 128 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > > How to configure the TLS 1.3 ciphers? > > kind regards > > Torsten > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hello, the protocol attribute looks a bit strange. I think it should be: protocols="+TLSv1.2,+TLSv1.3">