On Fri, Mar 11, 2022 at 6:58 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Torsten, > > On 3/11/22 06:03, Torsten Krah wrote: > >> It seems to me you are listing a cipher that might be correct > >> according to the OpenSSL documentation, but then whether that is > >> available to your JVM may be different. > > > > That is for sure not the problem - just use the "ciphers.sh" from the > > binary directory of tomcat which will list you all possible ciphers you > > can use - and those match the ones I want to use. > > > >> > >> Maybe you can run some small java application on the very same JVM to > >> simply list the supported ciphers? At least that would give you an > >> authorative list of ciphers you can put into the configuration file. > > > > No need for that, tomcat already has that - use ciphers.sh . > > > > As Thomas found, it is a known bug / missing feature of tomcat - you > > can't configure TLS 1.3 ciphers in tomcat yet if you want to use the > > OpenSSL native implementation and Mark Thomas confirmed that here: > > > > https://lists.apache.org/thread/q8lmp40xkn0b4k4o6n05n9fyttlvmd22 > > > > That was 08/2019 - but it still is unsupported in 03/2022 - maybe I'll > > do a patch for that one ;). > > If you do, please make sure you use appropriate #ifdefs in order to > allow it to compile against multiple versions of OpenSSL, not just > whatever version you happen to have installed on your local machine.
I used Panama for prototyping, SSL_CTX_set_ciphersuites works but is not so trivial to use. If you try using the ciphersuite for more than 1.3, there will be warnings (which I improved), and the default Tomcat uses also does not make sense for 1.3. I wonder if it should revert to not setting anything in that case (which would need some more changes). Rémy > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org