CONFIDENTIAL & RESTRICTED
Hello Torsten.
It seems to me you are listing a cipher that might be correct according to the
OpenSSL documentation, but then whether that is available to your JVM may be
different.
Maybe you can run some small java application on the very same JVM to simply
list the supported ciphers? At least that would give you an authorative list of
ciphers you can put into the configuration file.
And on another level: Could Tomcat list the supported ciphers as part of the
exception text? This would neither consume performance because we are in error
state anyway and give a direct hint for all future encounters of this problem.
Hiran
-----Original Message-----
From: Torsten Krah <krah...@gmail.com>
Sent: Friday, March 11, 2022 9:51
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.59 - TLS 1.3 cipher configuration ignored (TLS 1.2 ok)
CAUTION: External mail. Be careful with links and attachments.
Interesting exception on startup when using TLS 1.3 only - configured the
connector like this:
<SSLHostConfig protocols="TLSv1.3" honorCipherOrder="true"
ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_CCM_SHA256">
</SSLHostConfig>
using only TLS 1.3 and the configured ciphers but now I get this on startup:
11-Mar-2022 09:43:42.753 WARNUNG [main]
org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
initialisieren des SSL Contexts
java.lang.Exception: Unable to configure permitted SSL ciphers
(error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native
Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:329)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at
org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:144)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
The cipher names does match:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.openssl.org%2Findex.php%2FTLS1.3%23Ciphersuites&data=04%7C01%7C%7C6906465697414d1c2b3b08da033c40bb%7Cb3f4f7c272ce4192aba4d6c7719b5766%7C0%7C0%7C637825898789079215%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2KWhK88gs8TleiI1rCujofD%2Fz5t%2B%2F1CUwP0imfcR8bg%3D&reserved=0
and
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8446%23appendix-B.4&data=04%7C01%7C%7C6906465697414d1c2b3b08da033c40bb%7Cb3f4f7c272ce4192aba4d6c7719b5766%7C0%7C0%7C637825898789079215%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WUut0yFyPkEaaHrkOwu0Xlcozrowd7sdKdKEiCk4O18%3D&reserved=0
I am lost at that point, maybe someone has an idea.
kind regards
Torsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
IMPORTANT - CONFIDENTIALITY NOTICE - This e-mail is intended only for the use
of the individual or entity shown above as addressees . It may contain
information which is privileged, confidential or otherwise protected from
disclosure under applicable laws . If the reader of this transmission is not
the intended recipient, you are hereby notified that any dissemination,
printing, distribution, copying, disclosure or the taking of any action in
reliance on the contents of this information is strictly prohibited. If you
have received this transmission in error, please immediately notify us by reply
e-mail or using the address below and delete the message and any attachments
from your system. Amadeus Data Processing GmbH Geschaftsfuhrer: Sven
Fuhrmeister Sitz der Gesellschaft: Erding HR Munchen 212770 Berghamer Strasse 6
85435 Erding Germany.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
