AW: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)

Fri, 11 Mar 2022 01:50:09 -0800 


> -----Ursprüngliche Nachricht-----
> Von: Torsten Krah <krah...@gmail.com>
> Gesendet: Freitag, 11. März 2022 10:30
> An: users@tomcat.apache.org
> Betreff: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
> 
> Am Freitag, dem 11.03.2022 um 09:17 +0000 schrieb Thomas Hoffmann
> (Speed4Trade GmbH):
> > The configuration which works for me is:
> >
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >
> >
> >
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpl
> > ementation"
> >
> >                maxThreads="150" minSpareThreads="25"
> >
> >                URIEncoding="UTF-8" useBodyEncodingForURI="false"
> >
> >                enableLookups="false" disableUploadTimeout="true"
> >
> >                acceptCount="100" scheme="https" secure="true"
> >
> >                SSLEnabled="true">
> >
> >                     <SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM-
> > SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-
> > SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-
> > POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-
> SHA256:DHE-
> > RSA-AES256-GCM-SHA384"
> >
> >                                                                 disab
> > leSessionTickets="true"
> >
> >                                                                 honor
> > CipherOrder="false"
> >
> >                                                                 proto
> > cols="+TLSv1.2,+TLSv1.3">
> 
> 
> I am using:
> 
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> 
> and in combination with the native APR in place it does the correct thing,
> using OpenSSL - and the error shows that this is in place.
> 
> The list of protocols can be either of those - see the
> https://tomcat.apache.org/tomcat-9.0-doc/config/http.html ciphers docs:
> 
> 
> The ciphers to enable using the OpenSSL syntax. (See the OpenSSL
> documentation for the list of ciphers supported and the syntax).
> Alternatively, a comma separated list of ciphers using the standard
> OpenSSL cipher names or the standard JSSE cipher names may be used.
> 
> 
> Your example does not have any TLS 1.3 cipher listet - so you just get
> the 3 defaults (which I want / need to change) - and as seen in the
> code it won't work anyway, because it does not call:
> 
> SSL_CTX_set_ciphersuites()
> 
> to set the 1.3 suites.
> 
> kind regards
> 
> Torsten
> 
> 
> 
> ---------------------------------------------------------------------

> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Hello Torsten,

that article seems to confirm your research on this topic:
https://stackoverflow.com/questions/68802712/tomcat-9-0-48not-starting-with-tlsv1-3-and-explicit-ciphers-in-server-xml-ssl

Seems to only work with Java implementation, not with openssl at the moment.

Reply via email to