-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Усманов,
On 10/10/18 11:12 AM, Усманов Азат Анварович wrote: > Thanks Cristopher, I already did. All that´s left is to get the > latest patch backported to tomcat 7 For APR, it shouldn't be too much of an issue; it's just about getting a qualifying tcnative build into tc7 and a little plumbing code. My *guess* right now is that Tomcat 7 will not get any back-ports for NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete TLSv1.3 support. - -chris > ________________________________ От: Christopher Schultz > <ch...@christopherschultz.net> Отправлено: 10 октября 2018 г. > 17:47:47 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 10/6/18 17:27, Усманов Азат Анварович wrote: >> I've been searching the web for any idea why Chrome can do throw >> empty response error with tls1.3 and found this bug >> https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , >> it looks like the same sort of a problem,Interestingly enough it >> does have a fix. My knowledge of C is quite limited, so could >> anyone please look at the patch provided by these guys and see >> if it is of any use in case of tomcat-native ? > Have a look at the recent bug comments, especially Rainer's > comment about Chrome/ff versions. > > -chris > >> ________________________________ От: Усманов Азат Анварович >> <usma...@ieml.ru> Отправлено: 25 сентября 2018 г. 11:39 Кому: >> Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with >> APR/tomcat-native > >> Do I need to file a separate feature request for Tomcat itself? >> The one I already >> filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is >> for tomcat-native component. I looked through Tomcat changelog, >> I've found that previously TLS1.2 support was added via >> enhancement request to tomcat native . >> (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) >> ________________________________ От: Усманов Азат Анварович >> <usma...@ieml.ru> Отправлено: 20 сентября 2018 г. 12:05:07 Кому: >> users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 >> with APR/tomcat-native > >> I did file a feature -enhancement in bugzilla > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 > >> ________________________________ От: Christopher Schultz >> <ch...@christopherschultz.net> Отправлено: 19 сентября 2018 г. >> 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support >> for tomcat 7 with APR/tomcat-native > >> Усманов, > >> On 9/19/18 05:56, Усманов Азат Анварович wrote: >>> Hi Christopher! I did remove supportedProtocols attribute >>> entirely (SSL Labs server test confirms it ). >> You mean that SSL Labs then tells you that other protocols are >> available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if >> TLSv1.3 is available, so testing with e.g. Chrome shouldn't be >> necessary. > >>> <Connector allowTrace="false" server=" " port="8443" >>> maxPostSize="10485760 " maxHttpHeaderSize="1048576" >>> protocol="org.apache.coyote.http11.Http11AprProtocol" >>> connectionTimeout="20000" redirectPort="8443" >>> SSLHonorCipherOrder="true" >>> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" >>> SSLCertificateKeyFile="/home/idis/server.key" >>> SSLCertificateChainFile="/home/idis/authorities.crt" > >>> maxThreads="350" minSpareThreads="25" SSLEnabled="true" >>> enableLookups="false" disableUploadTimeout="true" >>> acceptCount="100" scheme="https" secure="true" >>> compression="force" >>> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384, T > >>> L > >>> > S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256- GC >> > M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD > HE > > > -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, >>> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES2 5 > >>> 6 > >>> > -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > >> ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > >>> I did put >>> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_ S > >>> H > >>> > A256 >>> as tls 1.3 ciphers for tls 1.3 , so my guess is that more >>> work is required for tls.1.3 to work in my case > >> Yes, you will definitely have to mention the TLSv1.3 ciphers in >> order to allow a TLSv1.3 handshake to succeed. > >> But yes, it does indeed look like Tomcat requires some work. > >> Can you please file an enhancement request in Bugzilla? > >> Thanks, -chris > >>> ________________________________ От: Christopher Schultz >>> <ch...@christopherschultz.net> Отправлено: 18 сентября 2018 г. >>> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support >>> for tomcat 7 with APR/tomcat-native > >>> Усманов, > >>> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >>>> I have a java7 web application that runs on tomcat 7.0.70 >>>> I'm using Apr/tomcat-native w OpenSSL for TLS connections >>>> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) >>>> Latest stable OpenSSL release (1.1.1) has TLS 1.3 support ,I >>>> have upgraded to it successfully. My question is if and >>>> when tomcat 7 will be upgraded to support TLS1.3 through w >>>> APR/tomcat-native/OpenSSL? do such plans even exist? > >>> Try not specifying any "supported protocol" (e.g. allow all >>> protocol flavors), and OpenSSL should allow TLSv1.3 to be >>> negotiated. > >>>> I'm guessing it will not happen at least untill both Chrome >>>> and firefox release their browser updates for RFC8446 >>>> support (which are both scheduled for Mid october Crome 70 >>>> and firefox 63) but would like to know more about it > >>> I for one would like to see TLSv1.3 supported as quickly as >>> possible. > >>> The OpenSSL project states that 1.1.1 is a drop-in API- and >>> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 >>> should "just work" under certain conditions. > >>> Tomcat attempts to disable certain protocols (e.g. SSLv2, >>> SSLv3) by default which might make things tricky when trying to >>> accept "all protocols" as described above. > >>> Please let me know if you have any success with an >>> out-of-the-box Tomcat 7.0.70 and APR/tcnative. I'll see what >>> if anything is in Tomcat that might *prevent* TLSv1.3 from >>> being available. > >>> -chris > >>> -------------------------------------------------------------------- - - > >>> >>> > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org > > > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu/Y5cACgkQHPApP6U8 pFj1Kg//eNE1Nu4Y7VQ0HSbbZzBNp4aN/HRBZ8rKzfFUL8ZQC3NQPDJ/FNaBEUR2 2MSQEwcFz84IA68GeP/TN27wuYYd/RXYCqsGLPbxjLeozeGa48OX7aZVOME9j6Hu 5r2+4eultEQY2fga47bohk2zhDdKegiIzvC1DuijlvPBjuqQgLpCYINEWrVPTe59 +HpMn1svrUx+wKJqgzCL/POv5unkqm4AzIJaQTMyhX9mkd2aueGOMB8U8GiQHuFb hGwg9zaeydYh19aARPufCNHwxdPtr4eyQb9TmulZQWOrS1yx/0sXnat4nobMBai7 0W/MFUA6zqTh7wuCUX5vMfMDrm85xyc+G252ZZTNBmtXB2x4QZ4jejjezYHKb5cU bjbOmu2j/iI++W48/7QkSMhMotUYeLCVonEbH06gcXtsbCimxsayfW3TFSVyA08Q 37ao7YVOLjXaltZw+rsyYvdtkCLx3vHkjdcuuzWhtHRyvRA/6/pSNL/I2/GQi4wE d6lMOknmkBN/dh4Px6Xq6PYp1PZRxlqBAywBkKxD/yEEDUYwDVLPVetHgvE+gphN 8IW/EJa1nDX3+RFNWTWPMa76t9fa81USuiGh5+BQztCdlyaW4QSfblpIHB03m913 JFlBkGDoCHtCveoY79sAY/X68uX7wVGZAdSB725lqJAbpJNRJ64= =Wroa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
