RE: Problem with OpenSSL cipher suites -what's wrong with this configuration?

Thu, 08 Aug 2019 02:16:07 -0700 

> > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3  using
> > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle
> > TLSv1.3 works, but I want to specify the allowed cipher suites as well.
> >
> > The relevant parts of server.xml are:
> > <Listener className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> > ...
> > <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol"
> >               maxThreads="150" SSLEnabled="true"
> > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
> >        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
> >        <SSLHostConfig protocols="TLSv1.3">
> >             <Certificate
> > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-base-8080/conf/keystore-pkcs12.jks"
> >               certificateKeystorePassword="mypassword" 
> > certificateKeystoreAlias="myalias" />
> >        </SSLHostConfig>
> > </Connector>
> >
> > This configuration works!  When I connect to the server, Firefox says
> > under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256,
> > 128bit key, TLS 1.3).
> >
> > But when I try to specify the cipher suites like: <SSLHostConfig
> > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
> 
> You have to use OpenSSL cipher names in this case. Like this...
> 
> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
> RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
> SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
> SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-
> AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-
> SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">

This cipher suite works fine for TLSv1.2. However, I only want to use TLSv1.3 
with its cipher suites. 
I installed openssl 1.1.1c and if I type "openssl ciphers -s -tls1_3" openSSL 
will return
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
in exactly this spelling, with underscores, not with hyphens as in the other 
cipher suites. I tried it with hyphens in Tomcat - but
it does not work either.

Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So 
is this possibly a bug in Tomcat with openSSL 1.1.1c
and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)?

Kind regards,
Jessica

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to