> -----Ursprüngliche Nachricht----- > Von: Torsten Krah <krah...@gmail.com> > Gesendet: Freitag, 11. März 2022 09:35 > An: users@tomcat.apache.org > Betreff: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok) > > Hi, > > I am using Tomcat 9.0.59 and configured it like that: > > > <SSLHostConfig protocols="TLSv1.2+TLSv1.3" honorCipherOrder="true" > ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES > _128_CCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_EC > DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GC > M_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"> > ... > </SSLHostConfig> > > Output is: > > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded > Apache Tomcat Native library [1.2.31] using APR version [1.7.0]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true], > UDS [true]. > [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] > [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.1k 25 Mar 2021] > > > Using testssl I had a look on the ciphers configured and they match my > expectations for TLS 1.2 but the TLS 1.3 ones are ignored - the standard > ciphers activated in openssl are still used according to: > > https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites > > Output of testssl: > > Cipher order > TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM- > SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 > TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 > TLS_AES_128_GCM_SHA256 > > Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits > Cipher Suite Name (IANA/RFC) > ---------------------------------------------------------------------------------------------- > ------------------------------- > x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 > TLS_AES_256_GCM_SHA384 > x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 > TLS_CHACHA20_POLY1305_SHA256 > xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > x9f DHE-RSA-AES256-GCM-SHA384 DH 4096 AESGCM 256 > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 > TLS_AES_128_GCM_SHA256 > xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > x9e DHE-RSA-AES128-GCM-SHA256 DH 4096 AESGCM 128 > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 > > > How to configure the TLS 1.3 ciphers? > > kind regards > > Torsten > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Hello, the protocol attribute looks a bit strange. I think it should be: protocols="+TLSv1.2,+TLSv1.3">
