Thanks Cristopher, I already did. All that´s left is to get the latest patch backported to tomcat 7
________________________________ От: Christopher Schultz <ch...@christopherschultz.net> Отправлено: 10 октября 2018 г. 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Усманов, On 10/6/18 17:27, Усманов Азат Анварович wrote: > I've been searching the web for any idea why Chrome can do throw > empty response error with tls1.3 and found this bug > https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it > looks like the same sort of a problem,Interestingly enough it does > have a fix. My knowledge of C is quite limited, so could anyone > please look at the patch provided by these guys and see if it is > of any use in case of tomcat-native ? Have a look at the recent bug comments, especially Rainer's comment about Chrome/ff versions. - -chris > ________________________________ От: Усманов Азат Анварович > <usma...@ieml.ru> Отправлено: 25 сентября 2018 г. 11:39 Кому: > Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > Do I need to file a separate feature request for Tomcat itself? The > one I already > filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for > tomcat-native component. I looked through Tomcat changelog, I've > found that previously TLS1.2 support was added via enhancement > request to tomcat native . > (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) > ________________________________ От: Усманов Азат Анварович > <usma...@ieml.ru> Отправлено: 20 сентября 2018 г. 12:05:07 Кому: > users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with > APR/tomcat-native > > I did file a feature -enhancement in bugzilla > > https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > > ________________________________ От: Christopher Schultz > <ch...@christopherschultz.net> Отправлено: 19 сентября 2018 г. > 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/19/18 05:56, Усманов Азат Анварович wrote: >> Hi Christopher! I did remove supportedProtocols attribute >> entirely (SSL Labs server test confirms it ). > You mean that SSL Labs then tells you that other protocols are > available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 > is available, so testing with e.g. Chrome shouldn't be necessary. > >> <Connector allowTrace="false" server=" " port="8443" >> maxPostSize="10485760 " maxHttpHeaderSize="1048576" >> protocol="org.apache.coyote.http11.Http11AprProtocol" >> connectionTimeout="20000" redirectPort="8443" >> SSLHonorCipherOrder="true" >> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >> SSLCertificateKeyFile="/home/idis/server.key" >> SSLCertificateChainFile="/home/idis/authorities.crt" > >> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> compression="force" >> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T L > >> S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD HE > > - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25 6 > >> - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >> I did put >> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S H > >> A256 >> as tls 1.3 ciphers for tls 1.3 , so my guess is that more work >> is required for tls.1.3 to work in my case > > Yes, you will definitely have to mention the TLSv1.3 ciphers in > order to allow a TLSv1.3 handshake to succeed. > > But yes, it does indeed look like Tomcat requires some work. > > Can you please file an enhancement request in Bugzilla? > > Thanks, -chris > >> ________________________________ От: Christopher Schultz >> <ch...@christopherschultz.net> Отправлено: 18 сентября 2018 г. >> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for >> tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>> I have a java7 web application that runs on tomcat 7.0.70 I'm >>> using Apr/tomcat-native w OpenSSL for TLS connections >>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >>> upgraded to it successfully. My question is if and when >>> tomcat 7 will be upgraded to support TLS1.3 through w >>> APR/tomcat-native/OpenSSL? do such plans even exist? > >> Try not specifying any "supported protocol" (e.g. allow all >> protocol flavors), and OpenSSL should allow TLSv1.3 to be >> negotiated. > >>> I'm guessing it will not happen at least untill both Chrome >>> and firefox release their browser updates for RFC8446 >>> support (which are both scheduled for Mid october Crome 70 and >>> firefox 63) but would like to know more about it > >> I for one would like to see TLSv1.3 supported as quickly as >> possible. > >> The OpenSSL project states that 1.1.1 is a drop-in API- and >> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 >> should "just work" under certain conditions. > >> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) >> by default which might make things tricky when trying to accept >> "all protocols" as described above. > >> Please let me know if you have any success with an >> out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what if >> anything is in Tomcat that might *prevent* TLSv1.3 from being >> available. > >> -chris > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+ERMACgkQHPApP6U8 pFgOtQ//Xc4kGDv4wm0WdKg9pLzpMk9hNFMbL7F7H+Vx6n47QAfVKctd/AJhqLZN OjYyu1PzVoQKzm2RjvBrkmQeo405iHXHeOSnTvMz1Z57T/im6emSFoTA9jUYpDZX EDoDzgrCi6c7e53O06H1u3vXFG84VlU8oCyP9zgmdqXeBK5ce68msNmjBQJ+TRny 4WT7kqHq3dnUFnlPvhxfzbyBBSUbfFWP+m694Nm2NqYzA5HRoyl88LhVr4yNuI5R vvkqs7F+EhHYcbxDXkOMxooE10KT8cSFgfvzfX6LzVtOUwQ2lFsI0ukZlmMOtO7H iS+pP01Mzon8Zvws1k/G7VZHsfsNVBKNChp1J+hy0Oh8FIwABY+TeI82V6gsqK0a ROzXqHx05TITTkQPr3qeMN3B5utgmFKUW89seuUz6qJM2f5wqh7YIUc4OROn2yBt bmEV6BMCV4yUotYKfRP+T9ViR87Ig1XrY0s0zUvxsmWGcUbmDGM2c9vd2FCGub/l 3NIe0ru/mhKVRcFbwDODH2EnRuB71fRkS7vywTufWcHfDp66jzcNMa/LIpdmjza6 K9IgC0x1IZxRBdSbe6PvSgL1SuuJd454czpB4ymQfPOf93iWuM2R8SYnAvIx+4wM Lxr9ejQpb+YxHky69UQQAsAoIU0Ko+oliqZ+fOgl51I5eCqHG7k= =O61G -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
