Hi,

I am using Tomcat 9.0.59 and configured it like that:


<SSLHostConfig protocols="TLSv1.2+TLSv1.3" honorCipherOrder="true" 
ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_CCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256">
...
</SSLHostConfig>

Output is:

[main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded 
Apache Tomcat Native library [1.2.31] using APR version [1.7.0].
[main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
capabilities: IPv6 [true], sendfile [true], accept filters [false], random 
[true], UDS [true].
[main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
configuration: useAprConnector [false], useOpenSSL [true]
[main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
successfully initialized [OpenSSL 1.1.1k  25 Mar 2021]


Using testssl I had a look on the ciphers configured and they match my
expectations for TLS 1.2 but the TLS 1.3 ones are ignored - the
standard ciphers activated in openssl are still used according to:

https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites

Output of testssl:

 Cipher order
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 
DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 
TLS_AES_128_GCM_SHA256 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     
Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      
TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      
TLS_CHACHA20_POLY1305_SHA256                       
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 4096    AESGCM      256      
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      
TLS_AES_128_GCM_SHA256                             
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 4096    AESGCM      128      
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256  


How to configure the TLS 1.3 ciphers?

kind regards

Torsten



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to