Re: Enable only TLSv1.3 for IBM SDK8 and Tomcat 7.0.108 on AIX 7.1

Thu, 01 Apr 2021 11:56:10 -0700 

Arun,

On 4/1/21 12:41, Arun Shankar wrote:

Hello,
We have a requirement to enable TLS traffic to only use TLS 1.3. We are 
currently on Tomcat version 7.0.53, which I learned does not support TLSv1.3 (I 
need to be atleast on Tomcat version 7.0.92 to have TLS 1.3 support from Tomcat 
(assuming the underlying Java supports it as well)).
So I upgraded to the latest version of Tomcat 7 - Tomcat 7.0.108.
Now when I enable TLSv1.3 by setting sslEnabledProtocols="TLSv1.3" in 
server.xml of Tomcat, I get the below error:
SEVERE: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or 
cipher suites are inappropriate)            at com.ibm.jsse2.Z.<init>(Z.java:287)           
 at com.ibm.jsse2.ac.<init>(ac.java:9)            at com.ibm.jsse2.ba.a(ba.java:52)         
   at com.ibm.jsse2.bf.beginHandshake(bf.java:84)            at 
org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:91)            at 
org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:73)            at 
org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:677)            at 
org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:844)            at 
java.lang.Thread.run(Thread.java:822)



This happens when you try to make a connection, right? Or does it give 
you that error on startup?


What client are you using to connect?


In order to verify that your JVM is doing what you expect, try using 
this utility:

https://github.com/ChristopherSchultz/ssltest

Build it then run it like this:

$ java -jar ssltest.jar -client-info


You should see the list of TLS protocols supported at the top of the 
output. You can also use that to test your server once it's running:


$ java -jar ssltest.jar localhost:8443

(or whatever your host:port is)


If I set sslEnabledProtocols="TLSv1.2,TLSv1.3" in server.xml of
Tomcat, I do not see the error but the client browser (Chrome)
connects on TLSv1.2 and not on TLSv1.3.

Try the above utility to see what TLSv1.2,TLSv1.3 gets you in your 
configuration. (Run it against the running server to see the effective 
protocols.)



I then tried the same operations as above on Tomcat 8.5.35 and 
Tomcat 9.0.13 and I do not see this error.



That does suggest that (a) your JVM does indeed support TLSv1.3 and (b) 
your configuration is correct.



Last bit of missing information: when you use Tomcat 8.5/9.0 and don't 
see this error... does your client connect with TLSv1.3?



But we have a requirement to stay on Tomcat 7 because of vendor
support licensing.

:(


Can you please post your current <Connector> from your Tomcat 7.0.108 
conf/server.xml file? Remember to remove any secrets which may be in there.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to