Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)

Fri, 11 Mar 2022 00:50:53 -0800 

Interesting exception on startup when using TLS 1.3 only - configured
the connector like this:

<SSLHostConfig protocols="TLSv1.3" honorCipherOrder="true" 
ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_CCM_SHA256">

</SSLHostConfig>

using only TLS 1.3 and the configured ciphers but now I get this on startup:

11-Mar-2022 09:43:42.753 WARNUNG [main] 
org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim 
initialisieren des SSL Contexts
        java.lang.Exception: Unable to configure permitted SSL ciphers 
(error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
                at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native 
Method)
                at 
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:329)
                at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
                at 
org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:144)
                at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
                at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
                at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
                at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
                at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
                at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
                at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.base/java.lang.reflect.Method.invoke(Method.java:568)
                at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
                at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)


The cipher names does match:

https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites

and

https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4


I am lost at that point, maybe someone has an idea.

kind regards

Torsten


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to