https://bz.apache.org/bugzilla/show_bug.cgi?id=62944
Bug ID: 62944 Summary: Enabling TLSv1.3 with the APR connector breaks TLSv1.0 and TLSv1.1 Product: Tomcat Native Version: 1.2.18 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Library Assignee: dev@tomcat.apache.org Reporter: dean.a.rash...@gmail.com Target Milestone: --- Created attachment 36275 --> https://bz.apache.org/bugzilla/attachment.cgi?id=36275&action=edit Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if TLSv1.3 is enabled (which it is by default with the default setting of protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking older clients. I can work around this by disabling TLSv1.3, for example, by setting protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled. Looking into it, this appears to be a fairly trivial copy-and-paste error in the Tomcat Native code in sslcontext.c -- when scanning for the minimal protocol version number to pass to SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3" block should not have a dangling "else" clause, because (unlike the preceding code to find the maximum protocol version number), this is a series of "if" tests, not an if-else-if-else chain. Attached is a patch which I've tested using SSLLabs, and confirmed that it allows all TLS versions to be enabled, and retains compatibility against older clients. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org