RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-06 Thread George Stanchev
So it seems to work. For whoever is interested to try, the openjsse comes 
prebundled with Azul's distro, all you need to do is run with -XX:+UseOpenJSSE 
command line option. On TC side, I added "TLSv1.3" to "sslEnabledProtocols":

sslEnabledProtocols="+TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3"

Also not sure if I had to but also added the 1.3 ciphers under ciphers 
attribute:

ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, 
TLS_CHACHA20_POLY1305_SHA256,"

I am getting some socket warnings though [1]. Anyone knows if those are benign?

George


[1]

ERROR 2019-08-02 13:25:31,425 [SYSERR] -- [] 
javax.net.ssl|DEBUG|01|main|2019-08-02 13:24:51.000 
MDT|SSLCipher.java:436|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 
2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.228 
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
  java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at 
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at 
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at 
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at 
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}

)
javax.net.ssl|DEBUG|03|Finalizer|2019-08-02 13:24:51.230 
MDT|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|03|Finalizer|2019-08-02 13:24:51.230 
MDT|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
  java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Socket.java:1553)
at 
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(BaseSSLSocketImpl.java:233)
at 
org.openjsse.sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:561)
at 
org.openjsse.sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at 
org.openjsse.sun.security.ssl.BaseSSLSocketImpl.finalize(BaseSSLSocketImpl.java:276)
at java.lang.System$2.invokeFinalize(System.java:1270)
at java.lang.ref.Finalizer.runFinalizer(Finalizer.java:102)
at java.lang.ref.Finalizer.access$100(Finalizer.java:34)
at java.lang.ref.Finalizer$FinalizerThread.run(Finalizer.java:217)}

)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (13,172)": {

}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (22)": {

}
)
javax.net.ssl|DEBUG|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.164 
MDT|SSLExtensions.java:132|Ignore unknown or unsupported extension (
"unknown extension (49)": {

}
)
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169 
MDT|SignatureScheme.java:282|Signature algorithm, ed25519, is not supported by 
the underlying providers
javax.net.ssl|WARNING|3E|https-jsse-nio-8243-exec-2|2019-08-02 13:25:31.169 
MDT|SignatureScheme.java:282|Signature algorithm, ed448, is not supported by 
the underlying providers


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-06 Thread Berneburg, Cris J. - US
-Original Message-
From: Christopher Schultz  

> "things to look into when I retire and my house is totally clean and
> my kids are finally out of the house" so of course, I'll never get around to 
> it.

+1  :-)

--
Cris Berneburg
CACI Lead Software Engineer


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-02 Thread George Stanchev
Chris,

We have done several product releases on Azul, also running our SaaS instances 
without any issues. Granted, we're Windows-only product but I know other 
products within my company that switched to it from Oracle's Java that have not 
had any issues. When Oracle changed its license agreement for Java last year we 
were given two vendors that are allowed to be used - Azul and AdoptOpenJDK. 
Azul so far has been more consistent and timely in its releases where we found 
AOJ somewhat lagging (they had issues with certificates, file signatures and 
DLL properties identifying the vendor in the past) . We do use AOJ for 
Java+OpenJ9 VM distros though...

George

-Original Message-
From: Christopher Schultz  
Sent: Thursday, August 01, 2019 5:48 PM
To: users@tomcat.apache.org
Subject: Re: [OT] TLSv1.3 in TC8.5 + Azul Java 8

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

George,

On 8/1/19 16:42, George Stanchev wrote:
> As of recently Azul has backported the JSSE from Java 11 into Java
> 8 [1] and it is currently offering TLSv1.3 support in its Java 8 
> distro [2].

Good for them. It's too bad Oracle is so conservative with its policies.

I have Azul on my list of "things to look into when I retire and my house is 
totally clean and my kids are finally out of the house" so of course, I'll 
never get around to it.

I'm curious about your (and others') experiences with it.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeiwACgkQHPApP6U8
pFipBA//fOTHrORxRD5OZqfigFAf7cACtsoYuJlAvh255BiJfybNg0pnBlDoIROE
DCLt2Q2QQcBWUG/eeBIopdv7xeEaVaLNMl6on8CHqSdwetL9RQle1MWBG7ECexT5
ekNdspdBXb8FHatmyxfeuP80fzhJSJka+w44FdIl6tgR4WhlUnNuiYgjx2YGrycu
BFyGJEmanlm96JUoAMfUqzPYd7+dxvhFR3reFo5XMq7efw9EFy31IONYRpKgIYnL
PkYdZigGrHEtDS1DavasDTdgTC61uncaSDcbR68KMDPfgjC7NYk2v3/SZH6A0HBN
rxWt7ADGhuioTf62e6LBxd14BveHJjtbpOsfDbKk/wIGH0U3W39MOsixgPVjJl+Y
0Tza6h3aEF8tRxTrEpQPvk4jvqDQ7uwBPvgerXfEuarECoj5zuTllzvCjPjxe9h5
vdzZNi5BwBNr3rXLRFT4nYuLMPP7bJURNZUbSxrwqVpepVDPkWWZ2Y9AGr4zT0Ld
S967tDXrCsgCy8Gh5MnLcUIe9Fso8tslLMueTy227amY7lK5SvKpFeLMp9sAGPqc
NAsoCYsv6V6jpM4kbDSw5QzQKqsF/dKgJgnEGqEORDbwTOUwQeV6AYbsvyFovaT0
EkVfc8A8KLf74qD3Y6Hz0AZuACVVUac3H9D2ctDPfUUca+ndYOo=
=lseS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] TLSv1.3 in TC8.5 + Azul Java 8

2019-08-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

George,

On 8/1/19 16:42, George Stanchev wrote:
> As of recently Azul has backported the JSSE from Java 11 into Java
> 8 [1] and it is currently offering TLSv1.3 support in its Java 8
> distro [2].

Good for them. It's too bad Oracle is so conservative with its policies.

I have Azul on my list of "things to look into when I retire and my
house is totally clean and my kids are finally out of the house" so of
course, I'll never get around to it.

I'm curious about your (and others') experiences with it.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeiwACgkQHPApP6U8
pFipBA//fOTHrORxRD5OZqfigFAf7cACtsoYuJlAvh255BiJfybNg0pnBlDoIROE
DCLt2Q2QQcBWUG/eeBIopdv7xeEaVaLNMl6on8CHqSdwetL9RQle1MWBG7ECexT5
ekNdspdBXb8FHatmyxfeuP80fzhJSJka+w44FdIl6tgR4WhlUnNuiYgjx2YGrycu
BFyGJEmanlm96JUoAMfUqzPYd7+dxvhFR3reFo5XMq7efw9EFy31IONYRpKgIYnL
PkYdZigGrHEtDS1DavasDTdgTC61uncaSDcbR68KMDPfgjC7NYk2v3/SZH6A0HBN
rxWt7ADGhuioTf62e6LBxd14BveHJjtbpOsfDbKk/wIGH0U3W39MOsixgPVjJl+Y
0Tza6h3aEF8tRxTrEpQPvk4jvqDQ7uwBPvgerXfEuarECoj5zuTllzvCjPjxe9h5
vdzZNi5BwBNr3rXLRFT4nYuLMPP7bJURNZUbSxrwqVpepVDPkWWZ2Y9AGr4zT0Ld
S967tDXrCsgCy8Gh5MnLcUIe9Fso8tslLMueTy227amY7lK5SvKpFeLMp9sAGPqc
NAsoCYsv6V6jpM4kbDSw5QzQKqsF/dKgJgnEGqEORDbwTOUwQeV6AYbsvyFovaT0
EkVfc8A8KLf74qD3Y6Hz0AZuACVVUac3H9D2ctDPfUUca+ndYOo=
=lseS
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org