Re: TLS protocols and cipher suites available under JSSE?

[James H. H. Lampert]

On 3/13/19, 2:53 PM, Christopher Schultz wrote:

7: 
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
8: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html

If you are using a non-standard "provider" (like one from IBM!), then
you'll have to read their documentation to find out what they provide.

Dear Mr. Schultz:

I was able to do a bit of trial-and-error this afternoon.

I found that on an AS/400 running Tomcat 7.0.47 under Java 7, with IBM 
JSSE (see 
<https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html> 
for reference)

If I specified
sslProtocol="TLSv1.1,TLSv1.2"

then connector initialization blew up.

If I specified
sslProtocol="TLSv1.2"

then connector initialization didn't blow up, but neither did I get TLSv1.2.

If I specified
sslEnabledProtocols="TLSv1.1,TLSv1.2" sslProtocol="TLSv1.1,TLSv1.2"

it blew up again. Apparently it doesn't like a comma-separated list for 
sslProtocol. This is what showed up in catalina.out:
SEVERE: Failed to initialize end point associated with ProtocolHandler 
["http-bio-12.151.5.120-443"]
java.io.IOException: TLSv1.1,TLSv1.2 SSLContext not available
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:459)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:192)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:397)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:623)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at 
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
. . .
Caused by: java.security.NoSuchAlgorithmException: TLSv1.1,TLSv1.2 SSLContext 
not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:172)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:26)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:472)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:433)
. . .

But if I do
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="SSL_TLSv2"

(with "SSL_TLSv2" being an IBM special value for "anything that's 
enabled, up to and including TLSv1.2), then it works, and indicates a 
TLSv1.2 connection, from a reasonably current version of Chrome, and 
also works from a very old Firefox that doesn't go past TLSv1.0.

And if I tweak the "sslEnabledProtocols," value, I can get it to reject 
1.0, or reject 1.2, in predictable ways.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org